anubis left
Anubis - Analysis Report
anubis right

Analysis Report for 915c20b33a42174eba06ac8817bb4f06.amada

 Comment on this report

Summary:

Description Risk
Write to foreign memory areas: This executable tampers with the execution of another process. high
Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary. low
Autostart capabilities: This executable registers processes to be executed at system start. This could result in unwanted actions to be performed automatically. medium
Execution did not terminate correctly: The executable crashed. medium
Spawns Processes: The executable produces processes during the execution. low
Performs Registry Activities: The executable creates and/or modifies registry entries. low


Table of Contents
expand all expand all   collapse all collapse all

1. General Information

  - Information about Anubis' invocation  
Time needed: 241 s 
Report created: 03/07/11, 12:17:21 UTC 
Termination reason: Timeout 
Program version: 1.74.3362 

1.a) - Network Activity

  - DNS Queries:  
Name Query Type Query Result Successful Protocol
21.75.13.80.in-addr.arpa  DNS_TYPE_PTR  lrouen-152-83-12-21.w80-13.abo.wanadoo.fr  udp 

2. 915c20b33a.exe

  - General information about this executable  
Analysis Reason: Primary Analysis Subject 
Filename: 915c20b33a.exe 
Command Line: "C:\915c20b33a.exe"  
Process-status at analysis end: dead 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​MSVBVM60.DLL  0x73420000  0x00153000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​OLEAUT32.dll  0x77120000  0x0008B000 

  - Run-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​MSCTF.dll  0x74720000  0x0004C000 
C:\​WINDOWS\​system32\​SXS.DLL  0x7E720000  0x000B0000 

2.a) 915c20b33a.exe - Registry Activities

  - Registry Values Read:  
Key Name Value Times
HKLM\​SOFTWARE\​Microsoft\​CTF\​SystemShared\​  CUAS 
HKLM\​SYSTEM\​CurrentControlSet\​Control\​Session Manager  CriticalSectionTimeout  2592000 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  AuthenticodeEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  DefaultLevel  262144 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  PolicyScope 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemData  0x5eab304f957a49896a006c1c31154015 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemSize  779 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemData  0x67b0d48b343a3fd3bce9dc646704f394 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemSize  517 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemData  0x327802dcfef8c893dc8ab006dd847d1d 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemSize  918 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemData  0xbd9a2adb42ebd8560e250e4df8162f67 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemSize  229 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemData  0x386b085f84ecf669d36b956a22c01e80 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemSize  370 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  ItemData  %HKEY_CURRENT_USER\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders\​Cache%OLK* 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  SaferFlags 
HKLM\​System\​CurrentControlSet\​Control\​Nls\​Codepage  932  c_932.nls 
HKLM\​System\​CurrentControlSet\​Control\​Nls\​Codepage  936  c_936.nls 
HKLM\​System\​CurrentControlSet\​Control\​Nls\​Codepage  949  c_949.nls 
HKLM\​System\​CurrentControlSet\​Control\​Nls\​Codepage  950  c_950.nls 
HKLM\​System\​CurrentControlSet\​Control\​Terminal Server  TSUserEnabled 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Keyboard Layout\​Toggle  Language Hotkey 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Keyboard Layout\​Toggle  Layout Hotkey 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cache  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files 

2.b) 915c20b33a.exe - File Activities

  - Files Read:  
C:\915c20b33a.exe

  - Device Control Communication:  
File Control Code Times
\Device\KsecDD  0x00390008 

  - Memory Mapped Files:  
File Name
C:\915c20b33a.exe
C:\WINDOWS\system32\MSCTF.dll
C:\WINDOWS\system32\MSVBVM60.DLL
C:\WINDOWS\system32\SXS.DLL
C:\WINDOWS\system32\imm32.dll
C:\WINDOWS\system32\rpcss.dll

2.c) 915c20b33a.exe - Process Activities

  - Processes Created:  
Executable Command Line
C:\915c20b33a.exe   
  C:\915c20b33a.exe 

  - Remote Threads Created:  
Affected Process
C:\915c20b33a.exe

  - Foreign Memory Regions Read:  
Process: C:\915c20b33a.exe

  - Foreign Memory Regions Written:  
Process: C:\915c20b33a.exe

3. 915c20b33a.exe

  - General information about this executable  
Analysis Reason: Started by 915c20b33a.exe 
Filename: 915c20b33a.exe 
MD5: 915c20b33a42174eba06ac8817bb4f06 
SHA-1: 3fb482b3a946d9cc46ce0341c19e877c3c842150 
File Size: 176128 Bytes
Command Line: C:\915c20b33a.exe 
Process-status at analysis end: dead 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 

  - Run-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​comctl32.dll  0x5D090000  0x0009A000 
C:\​WINDOWS\​system32\​WS2HELP.dll  0x71AA0000  0x00008000 
C:\​WINDOWS\​system32\​ws2_32.dll  0x71AB0000  0x00017000 
C:\​WINDOWS\​system32\​OLEAUT32.dll  0x77120000  0x0008B000 
C:\​WINDOWS\​system32\​wininet.dll  0x771B0000  0x000AA000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll  0x773D0000  0x00103000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 
C:\​WINDOWS\​system32\​CRYPT32.dll  0x77A80000  0x00095000 
C:\​WINDOWS\​system32\​MSASN1.dll  0x77B20000  0x00012000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​advapi32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​shell32.dll  0x7C9C0000  0x00817000 
C:\​WINDOWS\​system32\​user32.dll  0x7E410000  0x00091000 

3.a) 915c20b33a.exe - Registry Activities

  - Registry Values Read:  
Key Name Value Times
HKLM\​SYSTEM\​CurrentControlSet\​Control\​Session Manager  CriticalSectionTimeout  2592000 
HKLM\​SYSTEM\​Setup  SystemSetupInProgress 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 

3.b) 915c20b33a.exe - File Activities

  - Files Created:  
C:\RECYCLER
C:\RECYCLER\S-1-5-21-5867824309-8277637388-978164718-3995
C:\RECYCLER\S-1-5-21-5867824309-8277637388-978164718-3995\Desktop.ini

  - Files Read:  
C:\915c20b33a.exe

  - Files Modified:  
C:\RECYCLER\S-1-5-21-5867824309-8277637388-978164718-3995\Desktop.ini

  - Directories Created:  
C:\RECYCLER
C:\RECYCLER\S-1-5-21-5867824309-8277637388-978164718-3995

  - Device Control Communication:  
File Control Code Times
\Device\KsecDD  0x00390008 

  - Memory Mapped Files:  
File Name
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\shell32.dll
C:\WINDOWS\system32\wininet.dll
C:\WINDOWS\system32\ws2_32.dll

3.c) 915c20b33a.exe - Process Activities

  - Remote Threads Created:  
Affected Process
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe

  - Foreign Memory Regions Written:  
Process: C:\WINDOWS\explorer.exe
Process: C:\WINDOWS\system32\wscntfy.exe

4. Explorer.EXE

  - General information about this executable  
Analysis Reason: 915c20b33a.exe wrote to the virtual memory of this process 
Filename: Explorer.EXE 
MD5: 12896823fb95bfb3dc9b46bcaedc9923 
SHA-1: 9d2bf84874abc5b6e9a2744b7865c193c08d362f 
File Size: 1033728 Bytes
Command Line: C:\WINDOWS\Explorer.EXE 
Process-status at analysis end: alive 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​BROWSEUI.dll  0x75F80000  0x000FD000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​system32\​OLEAUT32.dll  0x77120000  0x0008B000 
C:\​WINDOWS\​system32\​SHDOCVW.dll  0x7E290000  0x00171000 
C:\​WINDOWS\​system32\​CRYPT32.dll  0x77A80000  0x00095000 
C:\​WINDOWS\​system32\​MSASN1.dll  0x77B20000  0x00012000 
C:\​WINDOWS\​system32\​CRYPTUI.dll  0x754D0000  0x00080000 
C:\​WINDOWS\​system32\​NETAPI32.dll  0x5B860000  0x00055000 
C:\​WINDOWS\​system32\​VERSION.dll  0x77C00000  0x00008000 
C:\​WINDOWS\​system32\​WININET.dll  0x771B0000  0x000AA000 
C:\​WINDOWS\​system32\​WINTRUST.dll  0x76C30000  0x0002E000 
C:\​WINDOWS\​system32\​IMAGEHLP.dll  0x76C90000  0x00028000 
C:\​WINDOWS\​system32\​WLDAP32.dll  0x76F60000  0x0002C000 
C:\​WINDOWS\​system32\​SHELL32.dll  0x7C9C0000  0x00817000 
C:\​WINDOWS\​system32\​UxTheme.dll  0x5AD70000  0x00038000 
C:\​WINDOWS\​system32\​ShimEng.dll  0x5CB70000  0x00026000 
C:\​WINDOWS\​AppPatch\​AcGenral.DLL  0x6F880000  0x001CA000 
C:\​WINDOWS\​system32\​WINMM.dll  0x76B40000  0x0002D000 
C:\​WINDOWS\​system32\​MSACM32.dll  0x77BE0000  0x00015000 
C:\​WINDOWS\​system32\​USERENV.dll  0x769C0000  0x000B4000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll  0x773D0000  0x00103000 
C:\​WINDOWS\​system32\​comctl32.dll  0x5D090000  0x0009A000 
C:\​WINDOWS\​system32\​appHelp.dll  0x77B40000  0x00022000 
C:\​WINDOWS\​system32\​CLBCATQ.DLL  0x76FD0000  0x0007F000 
C:\​WINDOWS\​system32\​COMRes.dll  0x77050000  0x000C5000 
C:\​WINDOWS\​System32\​cscui.dll  0x77A20000  0x00054000 
C:\​WINDOWS\​System32\​CSCDLL.dll  0x76600000  0x0001D000 
C:\​WINDOWS\​system32\​themeui.dll  0x5BA60000  0x00071000 
C:\​WINDOWS\​system32\​MSIMG32.dll  0x76380000  0x00005000 
C:\​WINDOWS\​system32\​xpsp2res.dll  0x00BC0000  0x002C5000 
C:\​WINDOWS\​system32\​actxprxy.dll  0x71D40000  0x0001B000 
C:\​WINDOWS\​system32\​msutb.dll  0x5FC10000  0x00033000 
C:\​WINDOWS\​system32\​MSCTF.dll  0x74720000  0x0004C000 
C:\​WINDOWS\​system32\​urlmon.dll  0x7E1E0000  0x000A2000 
C:\​WINDOWS\​system32\​LINKINFO.dll  0x76980000  0x00008000 
C:\​WINDOWS\​system32\​ntshrui.dll  0x76990000  0x00025000 
C:\​WINDOWS\​system32\​ATL.DLL  0x76B20000  0x00011000 
C:\​WINDOWS\​system32\​WINSTA.dll  0x76360000  0x00010000 
C:\​WINDOWS\​system32\​webcheck.dll  0x74B30000  0x00046000 
C:\​WINDOWS\​system32\​WSOCK32.dll  0x71AD0000  0x00009000 
C:\​WINDOWS\​system32\​WS2_32.dll  0x71AB0000  0x00017000 
C:\​WINDOWS\​system32\​WS2HELP.dll  0x71AA0000  0x00008000 
C:\​WINDOWS\​system32\​SETUPAPI.dll  0x77920000  0x000F3000 
C:\​WINDOWS\​system32\​stobject.dll  0x76280000  0x00021000 
C:\​WINDOWS\​system32\​BatMeter.dll  0x74AF0000  0x0000A000 
C:\​WINDOWS\​system32\​POWRPROF.dll  0x74AD0000  0x00008000 
C:\​WINDOWS\​system32\​WTSAPI32.dll  0x76F50000  0x00008000 
C:\​WINDOWS\​system32\​msi.dll  0x7D1E0000  0x002BC000 
C:\​WINDOWS\​system32\​NETSHELL.dll  0x76400000  0x001A5000 
C:\​WINDOWS\​system32\​credui.dll  0x76C00000  0x0002E000 
C:\​WINDOWS\​system32\​dot3api.dll  0x478C0000  0x0000A000 
C:\​WINDOWS\​system32\​rtutils.dll  0x76E80000  0x0000E000 
C:\​WINDOWS\​system32\​dot3dlg.dll  0x736D0000  0x00006000 
C:\​WINDOWS\​system32\​OneX.DLL  0x5DCA0000  0x00028000 
C:\​WINDOWS\​system32\​eappcfg.dll  0x745B0000  0x00022000 
C:\​WINDOWS\​system32\​MSVCP60.dll  0x76080000  0x00065000 
C:\​WINDOWS\​system32\​eappprxy.dll  0x5DCD0000  0x0000E000 
C:\​WINDOWS\​system32\​iphlpapi.dll  0x76D60000  0x00019000 
C:\​WINDOWS\​system32\​SAMLIB.dll  0x71BF0000  0x00013000 
C:\​WINDOWS\​system32\​MPR.dll  0x71B20000  0x00012000 
C:\​WINDOWS\​System32\​drprov.dll  0x75F60000  0x00007000 
C:\​WINDOWS\​System32\​ntlanman.dll  0x71C10000  0x0000E000 
C:\​WINDOWS\​System32\​NETUI0.dll  0x71CD0000  0x00017000 
C:\​WINDOWS\​System32\​NETUI1.dll  0x71C90000  0x00040000 
C:\​WINDOWS\​System32\​NETRAP.dll  0x71C80000  0x00007000 
C:\​WINDOWS\​System32\​davclnt.dll  0x75F70000  0x0000A000 
C:\​WINDOWS\​system32\​browselc.dll  0x71600000  0x00012000 
C:\​WINDOWS\​system32\​MLANG.dll  0x75CF0000  0x00091000 
C:\​WINDOWS\​system32\​IMM32.dll  0x76390000  0x0001D000 

  - Run-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​hnetcfg.dll  0x662B0000  0x00058000 
C:\​WINDOWS\​system32\​mswsock.dll  0x71A50000  0x0003F000 
C:\​WINDOWS\​System32\​wshtcpip.dll  0x71A90000  0x00008000 
C:\​WINDOWS\​system32\​DNSAPI.dll  0x76F20000  0x00027000 
C:\​WINDOWS\​System32\​winrnr.dll  0x76FB0000  0x00008000 
C:\​WINDOWS\​system32\​rasadhlp.dll  0x76FC0000  0x00006000 

4.a) Explorer.EXE - Registry Activities

  - Registry Values Modified:  
Key Name New Value
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​Winlogon  info Taskman  C:\​RECYCLER\​S-1-5-21-5867824309-8277637388-978164718-3995\​test.exe 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.aif\​OpenWithProgids  AIFFFile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.aifc\​OpenWithProgids  AIFFFile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.aiff\​OpenWithProgids  AIFFFile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.asf\​OpenWithProgids  ASFFile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.asx\​OpenWithProgids  ASXFile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.au\​OpenWithProgids  AUFile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.avi\​OpenWithProgids  avifile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.bmp\​OpenWithProgids  Paint.Picture   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.css\​OpenWithProgids  CSSfile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.dib\​OpenWithProgids  Paint.Picture   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.doc\​OpenWithProgids  WordPad.Document.1   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.dvr-ms\​OpenWithProgids  WMP.DVR-MSFile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.emf\​OpenWithProgids  emffile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.gif\​OpenWithProgids  giffile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.htm\​OpenWithProgids  htmlfile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.html\​OpenWithProgids  htmlfile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.ico\​OpenWithProgids  icofile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.ivf\​OpenWithProgids  IVFfile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.jfif\​OpenWithProgids  pjpegfile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.jpe\​OpenWithProgids  jpegfile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.jpeg\​OpenWithProgids  jpegfile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.jpg\​OpenWithProgids  jpegfile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.m1v\​OpenWithProgids  mpegfile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.m3u\​OpenWithProgids  m3ufile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.mid\​OpenWithProgids  midfile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.midi\​OpenWithProgids  midfile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.mp2\​OpenWithProgids  mpegfile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.mp2v\​OpenWithProgids  mpegfile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.mp3\​OpenWithProgids  mp3file   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.mpa\​OpenWithProgids  mpegfile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.mpe\​OpenWithProgids  mpegfile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.mpeg\​OpenWithProgids  mpegfile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.mpg\​OpenWithProgids  mpegfile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.mpv2\​OpenWithProgids  mpegfile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.png\​OpenWithProgids  pngfile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.rmi\​OpenWithProgids  midfile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.rtf\​OpenWithProgids  rtffile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.snd\​OpenWithProgids  AUFile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.tif\​OpenWithProgids  TIFImage.Document   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.tiff\​OpenWithProgids  TIFImage.Document   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.txt\​OpenWithProgids  txtfile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.wav\​OpenWithProgids  soundrec   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.wax\​OpenWithProgids  WAXFile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.wdp\​OpenWithProgids  wdpfile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.wm\​OpenWithProgids  ASFFile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.wma\​OpenWithProgids  WMAFile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.wmf\​OpenWithProgids  wmffile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.wmv\​OpenWithProgids  WMVFile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.wmx\​OpenWithProgids  ASXFile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.wpl\​OpenWithProgids  WPLFile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.wri\​OpenWithProgids  wrifile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.wvx\​OpenWithProgids  WVXFile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​EXPLORER\​FILEEXTS\​.zip\​OpenWithProgids  CompressedFolder   

  - Registry Values Read:  
Key Name Value Times
HKLM\​SOFTWARE\​CLASSES\​.386  PerceivedType  system 
HKLM\​SOFTWARE\​CLASSES\​.AIF    AIFFFile 
HKLM\​SOFTWARE\​CLASSES\​.AIFC    AIFFFile 
HKLM\​SOFTWARE\​CLASSES\​.AIFF    AIFFFile 
HKLM\​SOFTWARE\​CLASSES\​.ASF    ASFFile 
HKLM\​SOFTWARE\​CLASSES\​.ASM  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.ASMX  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.ASPX  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.ASX    ASXFile 
HKLM\​SOFTWARE\​CLASSES\​.AU    AUFile 
HKLM\​SOFTWARE\​CLASSES\​.AVI    avifile 
HKLM\​SOFTWARE\​CLASSES\​.BMP    Paint.Picture 
HKLM\​SOFTWARE\​CLASSES\​.C  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.CHK  PerceivedType  system 
HKLM\​SOFTWARE\​CLASSES\​.CPP  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.CSS    CSSfile 
HKLM\​SOFTWARE\​CLASSES\​.CSS  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.CSV  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.CXX  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.DEF  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.DIB    Paint.Picture 
HKLM\​SOFTWARE\​CLASSES\​.DIZ  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.DOC    WordPad.Document.1 
HKLM\​SOFTWARE\​CLASSES\​.DVR-MS    WMP.DVR-MSFile 
HKLM\​SOFTWARE\​CLASSES\​.EMF    emffile 
HKLM\​SOFTWARE\​CLASSES\​.GIF    giffile 
HKLM\​SOFTWARE\​CLASSES\​.GZ  PerceivedType  compressed 
HKLM\​SOFTWARE\​CLASSES\​.H  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.HPP  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.HTM    htmlfile 
HKLM\​SOFTWARE\​CLASSES\​.HTM  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.HTML    htmlfile 
HKLM\​SOFTWARE\​CLASSES\​.HTML  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.HXX  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.ICO    icofile 
HKLM\​SOFTWARE\​CLASSES\​.INC  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.IVF    IVFfile 
HKLM\​SOFTWARE\​CLASSES\​.JAVA  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.JFIF    pjpegfile 
HKLM\​SOFTWARE\​CLASSES\​.JPE    jpegfile 
HKLM\​SOFTWARE\​CLASSES\​.JPEG    jpegfile 
HKLM\​SOFTWARE\​CLASSES\​.JPG    jpegfile 
HKLM\​SOFTWARE\​CLASSES\​.LOCAL  PerceivedType  system 
HKLM\​SOFTWARE\​CLASSES\​.M1V    mpegfile 
HKLM\​SOFTWARE\​CLASSES\​.M3U    m3ufile 
HKLM\​SOFTWARE\​CLASSES\​.MANIFEST  PerceivedType  system 
HKLM\​SOFTWARE\​CLASSES\​.MID    midfile 
HKLM\​SOFTWARE\​CLASSES\​.MIDI    midfile 
HKLM\​SOFTWARE\​CLASSES\​.MP2    mpegfile 
HKLM\​SOFTWARE\​CLASSES\​.MP2V    mpegfile 
HKLM\​SOFTWARE\​CLASSES\​.MP3    mp3file 
HKLM\​SOFTWARE\​CLASSES\​.MPA    mpegfile 
HKLM\​SOFTWARE\​CLASSES\​.MPE    mpegfile 
HKLM\​SOFTWARE\​CLASSES\​.MPEG    mpegfile 
HKLM\​SOFTWARE\​CLASSES\​.MPG    mpegfile 
HKLM\​SOFTWARE\​CLASSES\​.MPV2    mpegfile 
HKLM\​SOFTWARE\​CLASSES\​.NVR  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.OCX  PerceivedType  system 
HKLM\​SOFTWARE\​CLASSES\​.PHP3  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.PL  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.PLG  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.PNG    pngfile 
HKLM\​SOFTWARE\​CLASSES\​.RMI    midfile 
HKLM\​SOFTWARE\​CLASSES\​.RTF    rtffile 
HKLM\​SOFTWARE\​CLASSES\​.SED  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.SHTML  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.SND    AUFile 
HKLM\​SOFTWARE\​CLASSES\​.SQL  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.TAR  PerceivedType  compressed 
HKLM\​SOFTWARE\​CLASSES\​.TEXT  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.TGZ  PerceivedType  compressed 
HKLM\​SOFTWARE\​CLASSES\​.TIF    TIFImage.Document 
HKLM\​SOFTWARE\​CLASSES\​.TIFF    TIFImage.Document 
HKLM\​SOFTWARE\​CLASSES\​.TSV  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.TXT    txtfile 
HKLM\​SOFTWARE\​CLASSES\​.TXT  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.VXD  PerceivedType  system 
HKLM\​SOFTWARE\​CLASSES\​.WAV    soundrec 
HKLM\​SOFTWARE\​CLASSES\​.WAX    WAXFile 
HKLM\​SOFTWARE\​CLASSES\​.WDP    wdpfile 
HKLM\​SOFTWARE\​CLASSES\​.WM    ASFFile 
HKLM\​SOFTWARE\​CLASSES\​.WMA    WMAFile 
HKLM\​SOFTWARE\​CLASSES\​.WMF    wmffile 
HKLM\​SOFTWARE\​CLASSES\​.WMV    WMVFile 
HKLM\​SOFTWARE\​CLASSES\​.WMX    ASXFile 
HKLM\​SOFTWARE\​CLASSES\​.WMZ  PerceivedType  compressed 
HKLM\​SOFTWARE\​CLASSES\​.WPL    WPLFile 
HKLM\​SOFTWARE\​CLASSES\​.WRI    wrifile 
HKLM\​SOFTWARE\​CLASSES\​.WSZ  PerceivedType  compressed 
HKLM\​SOFTWARE\​CLASSES\​.WVX    WVXFile 
HKLM\​SOFTWARE\​CLASSES\​.X  PerceivedType  text 
HKLM\​SOFTWARE\​CLASSES\​.Z  PerceivedType  compressed 
HKLM\​SOFTWARE\​CLASSES\​.ZIP    CompressedFolder 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{603D3801-BD81-11D0-A3A5-00C04FD706EC}\​INPROCSERVER32    %SystemRoot%\​system32\​browseui.dll 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​Winlogon  Taskman  C:\​RECYCLER\​S-1-5-21-5867824309-8277637388-978164718-3995\​test.exe  10 
HKLM\​SYSTEM\​CurrentControlSet\​Services\​Winsock\​Parameters  Transports  0x5400630070006900700000004e0065007400420049004f00530000000000 
HKLM\​Software\​Microsoft\​COM3  REGDBVersion  0x0700000000000000 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  Domain   
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  Hostname  pc 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  UseDomainNameDevolution 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  HelperDllName  %SystemRoot%\​System32\​wshtcpip.dll 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  Mapping  0x0b0000000300000002000000010000000600000002000000010000000000 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  MaxSockaddrLength  16 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  MinSockaddrLength  16 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  UseDelayedAcceptance 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters  WinSock_Registry_Version  2.0 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5  Num_Catalog_Entries 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5  Serial_Access_Num 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  DisplayString  Tcpip 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  Enabled 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  LibraryPath  %SystemRoot%\​System32\​mswsock.dll 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  ProviderId  0x409d05229e7ecf11ae5a00aa00a7112b 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  StoresServiceClassInfo 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  SupportedNameSpace  12 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  Version 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  DisplayString  NTDS 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  Enabled 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  LibraryPath  %SystemRoot%\​System32\​winrnr.dll 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  ProviderId  0xee37263b80e5cf11a55500c04fd8d4ac 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  StoresServiceClassInfo 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  SupportedNameSpace  32 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  Version 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  DisplayString  Network Location Awareness (NLA) Namespace 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  Enabled 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  LibraryPath  %SystemRoot%\​System32\​mswsock.dll 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  ProviderId  0x3a244266a83ba64abaa52e0bd71fdd83 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  StoresServiceClassInfo 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  SupportedNameSpace  15 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  Version 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Next_Catalog_Entry_ID  1012 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Num_Catalog_Entries  11 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Serial_Access_Num 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000001  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000002  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000003  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000004  PackedCatalogItem  %SystemRoot%\​system32\​rsvpsp.d 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000005  PackedCatalogItem  %SystemRoot%\​system32\​rsvpsp.d 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000006  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000007  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000008  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000009  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000010  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000011  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​Setup  SystemSetupInProgress 

  - Monitored Registry Keys:  
Key Name Watch subtree Notify Filter Count
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5  Key Change 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Key Change 

4.b) Explorer.EXE - File Activities

  - Files Created:  
C:\RECYCLER\S-1-5-21-5867824309-8277637388-978164718-3995\test.exe
\Device\NamedPipe\Win32Pipes.000000ac.00000001
pipe\eoiskoijdepsl

  - Files Read:  
PIPE\lsarpc

  - Files Modified:  
C:\RECYCLER\S-1-5-21-5867824309-8277637388-978164718-3995\test.exe
PIPE\lsarpc
\Device\Afd\Endpointinfo
\Device\RasAcdinfo

  - File System Control Communication:  
File Control Code Times
PIPE\lsarpc  0x0011C017 
\Device\NamedPipe\Win32Pipes.000000ac.00000001  0x0011400C  3975 

  - Device Control Communication:  
File Control Code Times
\Device\Afd\Endpoint  AFD_GET_INFO (0x0001207B) 
\Device\Afd\Endpoint  AFD_SET_CONTEXT (0x00012047) 
\Device\Afd\Endpoint  AFD_SET_INFO (0x0001203B) 
\Device\RasAcd  0x00F14014 
\Device\Afd\Endpoint  AFD_BIND (0x00012003) 
\Device\Afd\Endpoint  AFD_GET_TDI_HANDLES (0x00012037) 
\Device\Afd\Endpoint  AFD_GET_SOCK_NAME (0x0001202F) 
\Device\Afd\Endpoint  AFD_SEND_DATAGRAM (0x00012023) 
\Device\Afd\Endpoint  AFD_RECV_DATAGRAM (0x0001201B) 
unnamed file  0x00228144 

  - Memory Mapped Files:  
File Name
C:\915c20b33a.exe
C:\WINDOWS\System32\winrnr.dll
C:\WINDOWS\System32\wshtcpip.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\system32\hnetcfg.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rasadhlp.dll

4.c) Explorer.EXE - Network Activity

  - DNS Queries:  
Name Query Type Query Result Successful Protocol
symconempkr.com  DNS_TYPE_A  194.116.174.85  YES  udp 
21.75.13.80.in-addr.arpa.  DNS_TYPE_PTR  LRouen-152-83-12-21.w80-13.abo.wanadoo.fr  YES   

  -  Unknown UDP Traffic:  
from ANUBIS:1038 to 194.116.174.85:7778
State: Normal establishment and termination - Transferred outbound Bytes: 79 - Transferred inbound Bytes: 11

4.d) Explorer.EXE - Other Activities

  - Mutexes Created:  
akemksmoifejoijdke5646

  - Keyboard Keys Monitored:  
Virtual Key Code Times
VK_LBUTTON (1)  224 

5. wscntfy.exe

  - General information about this executable  
Analysis Reason: 915c20b33a.exe wrote to the virtual memory of this process 
Filename: wscntfy.exe 
MD5: f92e1076c42fcd6db3d72d8cfe9816d5 
SHA-1: 549f0a01848375d03159fc74171ed97790fa9650 
File Size: 13824 Bytes
Command Line: C:\WINDOWS\system32\wscntfy.exe 
Process-status at analysis end: alive 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​SHELL32.dll  0x7C9C0000  0x00817000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll  0x773D0000  0x00103000 
C:\​WINDOWS\​system32\​xpsp2res.dll  0x007C0000  0x002C5000 
C:\​WINDOWS\​system32\​MSCTF.dll  0x74720000  0x0004C000 

5.a) wscntfy.exe - Process Activities

  - Foreign Memory Regions Read:  
Process: C:\WINDOWS\explorer.exe


International Secure Systems Lab
Vienna University of Technology, Eurecom France, UC Santa Barbara
Contact: anubis@iseclab.org