ArcadeFAQSearchLogin
Register
It is currently Mon Dec 28, 2009 2:25 am

View unanswered posts | View active topics


Board index » Malware Analysis » Analyze Malwares

All times are UTC + 5:30 hours [ DST ]


Welcome
Welcome to <strong>Malware Analysis Forum</strong>.

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. Registration is fast, simple, and absolutely free, so please, <a href="/profile.php?mode=register">join our community today</a>!


Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 
  Previous topic | Next topic 
Author Message
maliciousbrains
 Post subject: reddii.org/traffic/ft01/loader.exe
PostPosted: Sun Apr 13, 2008 12:47 am 
Offline
Site Admin
User avatar

Joined: Thu Mar 27, 2008 1:06 pm
Posts: 163
Location: India
Download Link: hxxp://reddii.org/traffic/ft01/loader.exe

File Name: loader.exe

VirusTotal Result: 20/32 (62.5%)
AntiVir 7.6.0.85 2008.04.11 TR/Dldr.Tiny.IQ.28
Avast 4.8.1169.0 2008.04.12 Win32:Tiny-IA
AVG 7.5.0.516 2008.04.12 Downloader.Generic7.VZ
BitDefender 7.2 2008.04.12 MemScan:Trojan.Downloader.Tiny.IQ
CAT-QuickHeal 9.50 2008.04.12 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.04.12 Trojan.Downloader-10105
DrWeb 4.44.0.09170 2008.04.12 Trojan.Packed.151
eTrust-Vet 31.3.5692 2008.04.11 Win32/Behdevy
F-Secure 6.70.13260.0 2008.04.11 W32/Tibs.gen159
Fortinet 3.14.0.0 2008.04.12 W32/Dloader.J!tr
Ikarus T3.1.1.26.0 2008.04.12 Trojan.Win32.Trojan-Downloader.Tiny.NCT
Kaspersky 7.0.0.125 2008.04.12 Heur.Downloader
NOD32v2 3020 2008.04.11 Win32/TrojanDownloader.Tiny.NCT
Norman 5.80.02 2008.04.12 W32/Tibs.gen159
Panda 9.0.0.4 2008.04.12 Suspicious file
Prevx1 V2 2008.04.12 Heuristic: Suspicious Code
Sophos 4.28.0 2008.04.12 Mal/DownLdr-J
Sunbelt 3.0.1041.0 2008.04.12 Trojan-Downloader.Tiny.IQ
VBA32 3.12.6.4 2008.04.06 Win32.TrojanDownloader.Tiny.NCT
Webwasher-Gateway 6.6.2 2008.04.11 Trojan.Dldr.Tiny.IQ.28

File Info:
File size: 1712 bytes
MD5...: 159b35f4ef26836035bf2e545f677dd6
SHA1..: 20722f7bd0f0555d69310308a244001ffbc43fa5
SHA256: 9774f9efb9128b993640cf99954463d88bebac575037bf132c1cf341cf8fcfb3
SHA512: 5017ff67483a242fd2603170e5899c6281365c9a0616965d77b93c62038b5728
bb8d6b9d52a991745a912782a59dedc03ae1e4c86ef33786a17ef4f2bdf8dee1

PEInfo: PE Structure information
Base Data:
Entry Point Address.: 0x40132f
Time Date Stamp.....: 0x4629edaf (Sat Apr 21 10:55:43 2007)
Machine Type.......: 0x14c (I386)

Code Offset = 00000200, Code Size = 00000367
Data Offset = 00000600, Data Size = 000000B0

Number of Objects = 0002 (dec), Imagebase = 00400000h
Object01: .text RVA: 00001000 Offset: 00000200 Size: 00000367 Flags: E0000020
Object02: .data RVA: 00002000 Offset: 00000600 Size: 000000B0 Flags: C0000040

Process Description:
Filename: loader.exe
MD5: 159b35f4ef26836035bf2e545f677dd6
SHA-1: 20722f7bd0f0555d69310308a244001ffbc43fa5
File Size: 1712 Bytes
Command Line: C:\loader.exe

Load Time DLL:
Module Name Base Address Size
C:\WINDOWS\system32\ntdll.dll 0x7C900000 0x000B0000
C:\WINDOWS\system32\kernel32.dll 0x7C800000 0x000F5000

Run Time DLL:
Module Name Base Address Size
C:\WINDOWS\system32\NETAPI32.dll 0x5B860000 0x00054000
C:\WINDOWS\system32\comctl32.dll 0x5D090000 0x0009A000
C:\WINDOWS\system32\faultrep.dll 0x69450000 0x00016000
C:\WINDOWS\system32\WINSTA.dll 0x76360000 0x00010000
C:\WINDOWS\system32\IMM32.DLL 0x76390000 0x0001D000
C:\WINDOWS\system32\USERENV.dll 0x769C0000 0x000B3000
C:\WINDOWS\system32\WTSAPI32.dll 0x76F50000 0x00008000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll 0x773D0000 0x00103000
C:\WINDOWS\system32\SETUPAPI.dll 0x77920000 0x000F3000
C:\WINDOWS\system32\apphelp.dll 0x77B40000 0x00022000
C:\WINDOWS\system32\VERSION.dll 0x77C00000 0x00008000
C:\WINDOWS\system32\msvcrt.dll 0x77C10000 0x00058000
C:\WINDOWS\system32\ADVAPI32.dll 0x77DD0000 0x0009B000
C:\WINDOWS\system32\RPCRT4.dll 0x77E70000 0x00092000
C:\WINDOWS\system32\GDI32.dll 0x77F10000 0x00047000
C:\WINDOWS\system32\SHLWAPI.dll 0x77F60000 0x00076000
C:\WINDOWS\system32\Secur32.dll 0x77FE0000 0x00011000
C:\WINDOWS\system32\shell32.dll 0x7C9C0000 0x00815000
C:\WINDOWS\system32\USER32.dll

Files Created:
C:\DOCUME~1\user\LOCALS~1\Temp\48a0_appcompat.txt

Files Read:
C:\WINDOWS\system32\winsock.dll
PIPE\lsarpc

Files Changed:
C:\DOCUME~1\user\LOCALS~1\Temp\48a0_appcompat.txt
PIPE\lsarpc

Registry Read:
Key Name Value Times
HKLM\Software\Microsoft\PCHealth\ErrorReporting AllOrNone 1 1
HKLM\Software\Microsoft\PCHealth\ErrorReporting DoReport 1 1
HKLM\Software\Microsoft\PCHealth\ErrorReporting IncludeKernelFaults 1 1
HKLM\Software\Microsoft\PCHealth\ErrorReporting IncludeMicrosoftApps 1 1
HKLM\Software\Microsoft\PCHealth\ErrorReporting IncludeWindowsApps 1 1
HKLM\Software\Microsoft\PCHealth\ErrorReporting ShowUI 1 1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug Auto 1 1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug Debugger drwtsn32 -p %ld -e %ld -g 1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ComputerName USER 1
HKLM\System\Setup SystemSetupInProgress 0 1

Process Created:
Executable Command Line
dwwin.exe C:\WINDOWS\system32\dwwin.exe -x -s 156
drwtsn32 C:\WINDOWS\system32\drwtsn32 -p 284 -e 120 -g

Process Started:
Filename: dwwin.exe
MD5: 7c25440617eee6f69709aa8c915d2c32
SHA-1: 40747172146706013a3334d475b5df0116c56643
File Size: 180224 Bytes
Command Line: C:\WINDOWS\system32\dwwin.exe -x -s 156

Registry Values Changed:
Key Name New Value
HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable 0
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common AppData C:\Documents and Settings\All Users\Application Data
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders AppData C:\Documents and Settings\user\Application Data
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cache C:\Documents and Settings\user\Local Settings\Temporary Internet Files
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cookies C:\Documents and Settings\user\Cookies
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders History C:\Documents and Settings\user\Local Settings\History
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Personal C:\Documents and Settings\user\My Documents
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings MigrateProxy 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable 0
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ windows\CurrentVersion\Internet Settings\Connections SavedLegacySettings 0x460000005f00000001000000000000000000000000000000040000000000

Registry Values Read:
Key Name Value Times
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings UrlEncoding 0x00000000 2
HKLM\Software\Microsoft\Tracing EnableConsoleTracing 0 1
HKLM\Software\Microsoft\Tracing\RASAPI32 ConsoleTracingMask 4294901760 2
HKLM\Software\Microsoft\Tracing\RASAPI32 EnableConsoleTracing 0 2
HKLM\Software\Microsoft\Tracing\RASAPI32 EnableFileTracing 0 2
HKLM\Software\Microsoft\Tracing\RASAPI32 FileDirectory %windir%\tracing 4
HKLM\Software\Microsoft\Tracing\RASAPI32 FileTracingMask 4294901760 2
HKLM\Software\Microsoft\Tracing\RASAPI32 MaxFileSize 1048576 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion DigitalProductId 0xa40000000300000037363438372d3333372d383432393935352d32323631 1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug Debugger drwtsn32 -p %ld -e %ld -g 4
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList AllUsersProfile All Users 3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList DefaultUserProfile Default User 3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ProfilesDirectory %SystemDrive%\Documents and Settings 6
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1229272821-1004336348-527237240-1003 ProfileImagePath %SystemDrive%\Documents and Settings\user 3
HKLM\Software\Microsoft\Windows\CurrentVersion CommonFilesDir C:\Program Files\Common Files 4
HKLM\Software\Microsoft\Windows\CurrentVersion ProgramFilesDir C:\Program Files 4
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Common AppData %ALLUSERSPROFILE%\Application Data 1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content PerUserItem 1 1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies PerUserItem 1 1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History PerUserItem 1 1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ComputerName USER 5
HKLM\System\CurrentControlSet\Control\Session Manager\Environment ComSpec %SystemRoot%\system32\cmd.exe 6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment FP_NO_HOST_CHECK NO 6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment NUMBER_OF_PROCESSORS 1 6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment OS Windows_NT 6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH 6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment PROCESSOR_ARCHITECTURE x86 6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment PROCESSOR_IDENTIFIER x86 Family 6 Model 3 Stepping 3, GenuineIntel 6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment PROCESSOR_LEVEL 6 6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment PROCESSOR_REVISION 0303 6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment Path %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem 6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment TEMP %SystemRoot%\TEMP 6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment TMP %SystemRoot%\TEMP 6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment _NT_SYMBOL_PATH srv*C:\Symbols*http://msdl.microsoft.com/download/symbols 6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment windir %SystemRoot% 6
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters WinSock_Registry_Version 2.0 2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 Num_Catalog_Entries 3 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 Serial_Access_Num 4 2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 DisplayString Tcpip 4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Enabled 1 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 LibraryPath %SystemRoot%\System32\mswsock.dll 2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ProviderId 0x409d05229e7ecf11ae5a00aa00a7112b 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 StoresServiceClassInfo 0 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 SupportedNameSpace 12 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Version 0 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 DisplayString NTDS 4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Enabled 1 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 LibraryPath %SystemRoot%\System32\winrnr.dll 2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ProviderId 0xee37263b80e5cf11a55500c04fd8d4ac 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 StoresServiceClassInfo 0 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 SupportedNameSpace 32 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Version 0 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 DisplayString Network Location Awareness (NLA) Namespace 4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Enabled 1 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 LibraryPath %SystemRoot%\System32\mswsock.dll 2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ProviderId 0x3a244266a83ba64abaa52e0bd71fdd83 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 StoresServiceClassInfo 0 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 SupportedNameSpace 15 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Version 0 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 Next_Catalog_Entry_ID 1012 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 Num_Catalog_Entries 11 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 Serial_Access_Num 4 2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 PackedCatalogItem %SystemRoot%\system32\mswsock. 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 PackedCatalogItem %SystemRoot%\system32\mswsock. 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 PackedCatalogItem %SystemRoot%\system32\mswsock. 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 PackedCatalogItem %SystemRoot%\system32\rsvpsp.d 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 PackedCatalogItem %SystemRoot%\system32\rsvpsp.d 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 PackedCatalogItem %SystemRoot%\system32\mswsock. 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 PackedCatalogItem %SystemRoot%\system32\mswsock. 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 PackedCatalogItem %SystemRoot%\system32\mswsock. 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 PackedCatalogItem %SystemRoot%\system32\mswsock. 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 PackedCatalogItem %SystemRoot%\system32\mswsock. 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 PackedCatalogItem %SystemRoot%\system32\mswsock. 1
HKLM\System\Setup SystemSetupInProgress 0 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Environment TEMP %USERPROFILE%\Local Settings\Temp 6
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Environment TMP %USERPROFILE%\Local Settings\Temp 6
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS EnableHttp1_1 1 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS EnableNegotiate 1 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS MimeExclusionListForCache multipart/mixed multipart/x-mixed-replace multipart/x-byteranges 4
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS SecureProtocols 160 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS WarnOnPost 0x01000000 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS WarnOnZoneCrossing 0 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings CertificateRevocation 0 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings DisableCachingOfSSLPages 0 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Internet Explorer\Settings Anchor Color 0,0,255 4
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ParseAutoexec 1 3
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders AppData %USERPROFILE%\Application Data 3
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Cache %USERPROFILE%\Local Settings\Temporary Internet Files 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Cookies %USERPROFILE%\Cookies 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders History %USERPROFILE%\Local Settings\History 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Personal %USERPROFILE%\My Documents 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache Signature Client UrlCache MMF Ver 5.2 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Content CacheLimit 163410 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Content CachePrefix 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies CacheLimit 8192 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies CachePrefix Cookie: 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022 CacheLimit 8192 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022 CacheOptions 11 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022 CachePath %USERPROFILE%\Local Settings\History\History.IE5\MSHist012007101520071022 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022 CachePrefix :2007101520071022: 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022 CacheRepair 0 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029 CacheLimit 8192 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029 CacheOptions 11 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029 CachePath %USERPROFILE%\Local Settings\History\History.IE5\MSHist012007102220071029 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029 CachePrefix :2007102220071029: 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029 CacheRepair 0 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102 CacheLimit 8192 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102 CacheOptions 11 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102 CachePath %USERPROFILE%\Local Settings\History\History.IE5\MSHist012007110120071102 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102 CachePrefix :2007110120071102: 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102 CacheRepair 0 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData CacheLimit 1000 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData CacheOptions 8 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData CachePath %USERPROFILE%\UserData 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData CachePrefix UserData 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData CacheRepair 0 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat CacheLimit 8192 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat CacheOptions 0 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat CachePath %USERPROFILE%\Local Settings\Application Data\Microsoft\Feeds Cache 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat CachePrefix feedplat: 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat CacheRepair 0 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\History CacheLimit 8192 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\History CachePrefix Visited: 2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings MigrateProxy 1 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable 0 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ windows\CurrentVersion\Internet Settings\Connections DefaultConnectionSettings 0x3c0000000200000001000000000000000000000000000000040000000000 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ windows\CurrentVersion\Internet Settings\Connections SavedLegacySettings 0x460000005e00000001000000000000000000000000000000040000000000 4
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment APPDATA C:\Documents and Settings\user\Application Data 6
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment CLIENTNAME Console 6
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment HOMEDRIVE C: 6
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment HOMEPATH \Documents and Settings\user 6
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment HOMESHARE 6
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment LOGONSERVER \\USER 6
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment SESSIONNAME Console

Registry Keys Monitored:
Key Name Watch subtree Notify Filter Count
HKLM\Software\Microsoft\Tracing\RASAPI32 0 Attributes Change,Value Change,Security Descriptor Change 2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 0 Key Change 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 0 Key Change 1

Files Deleted:
C:\DOCUME~1\user\LOCALS~1\Temp\3850F.dmp
C:\DOCUME~1\user\LOCALS~1\Temp\48a0_appcompat.txt

Files Created:
C:\DOCUME~1\user\LOCALS~1\Temp\3850F.dmp

Files Read:
C:\WINDOWS\win.ini
C:\loader.exe
PIPE\lsarpc
c:\autoexec.bat

Files MOdified:
PIPE\lsarpc

Process Stsrted:
Filename: services.exe
MD5: c6ce6eec82f187615d1002bb3bb50ed4
SHA-1: b958912d139cb8dbfeeacdd38ba048c4f452174e
File Size: 108032 Bytes
Command Line: C:\WINDOWS\system32\services.exe

Registry Keys Created:
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control

Registry Values Changed:
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control ActiveService RasMan
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control ActiveService TapiSrv

Registry Values Read:
Key Name Value Times
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0303\4&2C5A7332&0 ClassGUID {4D36E96B-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0400\4&2C5A7332&0 ClassGUID {4D36E978-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0501\1 ClassGUID {4D36E978-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0700\4&2C5A7332&0 ClassGUID {4D36E969-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0A03\1 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0F13\4&2C5A7332&0 ClassGUID {4D36E96F-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI_HAL\PNP0C08\0 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\DISPLAY\DEFAULT_MONITOR\4&2946A9FF&0&11223344&00&02 ClassGUID {4D36E96E-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\IDE\ CDROMQEMU_QEMU_CD-ROM________________________0.9.____\ 4D51303030302033202020202020202020202020 ClassGUID {4D36E965-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\IDE\ DISKQEMU_HARDDISK___________________________0.9.0___\ 4D51303030302031202020202020202020202020 ClassGUID {4D36E967-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ISAPNP\READDATAPORT\0 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\LPTENUM\MICROSOFTRAWPORT\5&34A37E9F&0&LPT1 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\PCIIDE\IDECHANNEL\4&3DE75EA&0&0 ClassGUID {4D36E96A-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\PCIIDE\IDECHANNEL\4&3DE75EA&0&1 ClassGUID {4D36E96A-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_1013&DEV_00B8&SUBSYS_00000000&REV_00\3&13C0B0C5&0&10 ClassGUID {4D36E968-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\3&13C0B0C5&0&18 ClassGUID {4D36E972-E325-11CE-BFC1-08002BE10318} 2
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\3&13C0B0C5&0&18 DeviceDesc Realtek RTL8029(AS)-based Ethernet Adapter (Generic) 2
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\3&13C0B0C5&0&18 Driver {4D36E972-E325-11CE-BFC1-08002BE10318}\0001 2
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_1237&SUBSYS_00000000&REV_02\3&13C0B0C5&0&00 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_7000&SUBSYS_00000000&REV_00\3&13C0B0C5&0&08 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_7010&SUBSYS_00000000&REV_00\3&13C0B0C5&0&09 ClassGUID {4D36E96A-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\ACPI_HAL\0000 ClassGUID {4D36E966-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\DMIO\0000 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\FTDISK\0000 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_AFD\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_BEEP\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_DMBOOT\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_DMLOAD\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_FIPS\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_GPC\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_HTTP\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_IPNAT\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_IPSEC\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_KSECDD\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_MNMDD\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_MOUNTMGR\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDISTAPI\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDISUIO\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDIS\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDPROXY\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NETBT\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NULL\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_PARTMGR\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_PARVDM\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_RASACD\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_RDPCDD\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_TCPIP\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_VGASAVE\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_VOLSNAP\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_WANARP\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMACM ClassGUID {4D36E96C-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMDRV ClassGUID {4D36E96C-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMMCI ClassGUID {4D36E96C-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMVCD ClassGUID {4D36E96C-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMVID ClassGUID {4D36E96C-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MODEM\0000 Capabilities 0 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MODEM\0000 ClassGUID {4D36E96D-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MODEM\0000 ConfigFlags 0 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MODEM\0000 Driver {4D36E96D-E325-11CE-BFC1-08002BE10318}\0000 2
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_L2TPMINIPORT\0000 ClassGUID {4D36E972-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANIP\0000 ClassGUID {4D36E972-E325-11CE-BFC1-08002BE10318} 2
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANIP\0000 DeviceDesc WAN Miniport (IP) 2
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANIP\0000 Driver {4D36E972-E325-11CE-BFC1-08002BE10318}\0008 2
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PPPOEMINIPORT\0000 ClassGUID {4D36E972-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PPTPMINIPORT\0000 ClassGUID {4D36E972-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PSCHEDMP\0000 ClassGUID {4D36E972-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PSCHEDMP\0001 ClassGUID {4D36E972-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PTIMINIPORT\0000 ClassGUID {4D36E972-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDPDR\0000 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDP_KBD\0000 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDP_MOU\0000 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0000 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0001 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0002 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0003 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0004 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1
HKLM\SYSTEM\CONTROLSET001\ENUM\STORAGE\VOLUME\1&30A96598&0&SIGNATURE95619561OFFSET7E00LENGTH13F291800 ClassGUID {71A27CDD-812A-11D0-BEC7-08002BE2092F} 1
HKLM\SYSTEM\CONTROLSET001\SERVICES\PlugPlay PlugPlayServiceType 3 1
HKLM\SYSTEM\CONTROLSET001\SERVICES\RasMan\Enum 0 Root\LEGACY_RASMAN\0000 3
HKLM\SYSTEM\CONTROLSET001\SERVICES\RasMan\Enum Count 1 6
HKLM\SYSTEM\CONTROLSET001\SERVICES\RpcSs\Enum 0 Root\LEGACY_RPCSS\0000 1
HKLM\SYSTEM\CONTROLSET001\SERVICES\RpcSs\Enum Count 1 2
HKLM\SYSTEM\CONTROLSET001\SERVICES\TapiSrv\Enum 0 Root\LEGACY_TAPISRV\0000 2
HKLM\SYSTEM\CONTROLSET001\SERVICES\TapiSrv\Enum Count 1 4
HKLM\System\CurrentControlSet\Services\PlugPlay ObjectName LocalSystem 1
HKLM\System\CurrentControlSet\Services\RasMan ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs 1
HKLM\System\CurrentControlSet\Services\RasMan ObjectName LocalSystem 2
HKLM\System\CurrentControlSet\Services\RpcSs ObjectName NT AUTHORITY\NetworkService 1
HKLM\System\CurrentControlSet\Services\TapiSrv ImagePath %SystemRoot%\System32\svchost.exe -k netsvcs 1
HKLM\System\CurrentControlSet\Services\TapiSrv ObjectName LocalSystem

Files Read:
C:\ntsvcs, Flags: Named pipe

Files Modified:
C:\WINDOWS\system32\config\AppEvent.Evt
C:\WINDOWS\system32\config\SysEvent.Evt
C:\ntsvcs, Flags: Named pipe

Process Started:
Filename: drwtsn32.exe
MD5: c9f5e1de6da983e89e714ed80c11f000
SHA-1: 1717b633478fb107d3c26344f710328b93ae550c
File Size: 45568 Bytes
Command Line: C:\WINDOWS\system32\drwtsn32 -p 284 -e 120 -g

egistry Values Changed:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common AppData C:\Documents and Settings\All Users\Application Data

Registry Read:
Key Name Value Times
HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Identifier x86 Family 6 Model 3 Stepping 3 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion CurrentBuildNumber 2600 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion CurrentType Uniprocessor Free 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization user 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner user 1
HKLM\SYSTEM\CurrentControlSet\Control\Windows CSDVersion 512 1
HKLM\Software\Microsoft\Windows NT\CurrentVersion CurrentType Uniprocessor Free 2
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Common AppData %ALLUSERSPROFILE%\Application Data 1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ComputerName USER 2
HKLM\software\microsoft\DrWatson AppendToLogFile 1 1
HKLM\software\microsoft\DrWatson CrashDumpType 1 1
HKLM\software\microsoft\DrWatson CreateCrashDump 1 1
HKLM\software\microsoft\DrWatson DumpAllThreads 1 1
HKLM\software\microsoft\DrWatson DumpSymbols 0 1
HKLM\software\microsoft\DrWatson Instructions 10 1
HKLM\software\microsoft\DrWatson MaximumCrashes 10 1
HKLM\software\microsoft\DrWatson NumberOfCrashes 10 1
HKLM\software\microsoft\DrWatson SoundNotification 0 1
HKLM\software\microsoft\DrWatson VisualNotification 0 1
HKLM\software\microsoft\DrWatson WaveFile 1

Files Created:
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp

Files Read:
C:\loader.exe
PIPE\lsarpc

Files Changed:
PIPE\lsarpc

Other Application Access:
Process: C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
Process: C:\WINDOWS\explorer.exe
Process: C:\WINDOWS\system32\alg.exe
Process: C:\WINDOWS\system32\cmd.exe
Process: C:\WINDOWS\system32\csrss.exe
Process: C:\WINDOWS\system32\ctfmon.exe
Process: C:\WINDOWS\system32\drwtsn32.exe
Process: C:\WINDOWS\system32\ftvmdmsrv.exe
Process: C:\WINDOWS\system32\lsass.exe
Process: C:\WINDOWS\system32\services.exe
Process: C:\WINDOWS\system32\smss.exe
Process: C:\WINDOWS\system32\spoolsv.exe
Process: C:\WINDOWS\system32\svchost.exe
Process: C:\WINDOWS\system32\winlogon.exe
Process: C:\WINDOWS\system32\wscntfy.exe
Process: C:\WINDOWS\system32\wuauclt.exe
Process: C:\exec\popupKiller.exe
Process: C:\loader.exe

_________________
.:: MaliciousBrains ::.
http://www.malwareinfo.org

There are no patches or service packs for IGNORANCE!!

Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 

Board index » Malware Analysis » Analyze Malwares

All times are UTC + 5:30 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 0 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Donate Now
Donate Now
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Hosted by FreeForums.org | Create a free forum