Analysis Report for bf1c61f5dd0cf5b1138c0447d6f4c4ed

Comment on this report

Summary:

Description	Risk
Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web.
Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary.
Spawns Processes: The executable produces processes during the execution.
Performs Registry Activities: The executable reads and modifies registry values. It may also create and monitor registry keys.

Table of Contents
expand all	collapse all
General information sample.exe C:\sample.exe Primary Analysis Subject General Information a) Registry Activities b) File Activities c) Process Activities d) Network Activities IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE Started by sample.exe General Information a) Registry Activities b) File Activities c) Process Activities d) Other Activities services.exe C:\WINDOWS\system32\services.exe NtConnectPort(\RPC Control\ntsvcs was called. General Information

1. General Information

	- Information about Anubis' invocation

Time needed:	242 s
Report created:	03/20/09, 15:27:14 UTC
Termination reason:	Timeout
Program version:	1.67.0

	- Popups

Process	Window Name	Window Text	Screenshot	Number of Displayed Times
explorer.exe	Windows Internet Explorer			1

1.a) - Network Activity

	- HTTP Conversations:

From ANUBIS:1033 to 165.230.110.130:80 - [zlab.rutgers.edu]
Request: GET /topo.jpg
Response: 200 "OK"

	- Unknown UDP Traffic:

from ANUBIS:1025 to 192.168.0.1:53

State: Normal establishment and termination - Transferred outbound Bytes: 34 - Transferred inbound Bytes: 147

2. sample.exe

	- General information about this executable

Analysis Reason:	Primary Analysis Subject
Filename:	sample.exe
MD5:	bf1c61f5dd0cf5b1138c0447d6f4c4ed
SHA-1:	87d6862cf788b6afd45319af24ce395956143556
File Size:	64512 Bytes
Command Line:	"C:\sample.exe"
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\user32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\advapi32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\oleaut32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\URLMON.DLL	0x42CF0000	0x00127000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\iertutil.dll	0x42990000	0x00045000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\Normaliz.dll	0x00A20000	0x00009000
C:\WINDOWS\system32\WININET.dll	0x42C10000	0x000CF000
C:\WINDOWS\system32\ieframe.dll	0x42EF0000	0x005CD000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\netapi32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\hnetcfg.dll	0x662B0000	0x00058000
C:\WINDOWS\system32\mswsock.dll	0x71A50000	0x0003F000
C:\WINDOWS\System32\wshtcpip.dll	0x71A90000	0x00008000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\ws2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\HLINK.DLL	0x76820000	0x00015000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\PSAPI.DLL	0x76BF0000	0x0000B000
C:\WINDOWS\system32\rtutils.dll	0x76E80000	0x0000E000
C:\WINDOWS\system32\rasman.dll	0x76E90000	0x00012000
C:\WINDOWS\system32\TAPI32.dll	0x76EB0000	0x0002F000
C:\WINDOWS\system32\RASAPI32.dll	0x76EE0000	0x0003C000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000
C:\WINDOWS\system32\appHelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000

	- Ikarus Virus Scanner

Trojan-Downloader.Win32.Delf.ACC (Sig-Id:149648)

2.a) sample.exe - Registry Activities

	- Registry Keys Created:

HKLM\Software\Microsoft\DownloadManager

	- Registry Values Modified:

Key	Name	New Value
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Common AppData	C:\Documents and Settings\All Users\Application Data
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\user\Local Settings\Temporary Internet Files
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cookies	C:\Documents and Settings\user\Cookies
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	History	C:\Documents and Settings\user\Local Settings\History
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AutoDetect	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IntranetName	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ProxyBypass	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	UNCAsIntranet	1

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\CLASSES\CLSID\{6F237DF9-9DDB-47AD-B218-400D54C286AD}\INPROCSERVER32		C:\WINDOWS\system32\urlmon.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{6F237DF9-9DDB-47AD-B218-400D54C286AD}\INPROCSERVER32	ThreadingModel	Apartment	1
HKLM\SOFTWARE\CLASSES\CLSID\{79EAC9D0-BAF9-11CE-8C82-00AA004BA90B}\INPROCSERVER32		C:\WINDOWS\system32\hlink.dll	2
HKLM\SOFTWARE\CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\INPROCSERVER32		C:\WINDOWS\system32\ieframe.dll	4
HKLM\SOFTWARE\CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\INPROCSERVER32	ThreadingModel	Apartment	1
HKLM\SOFTWARE\CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\SHELLFOLDER	WantsParseDisplayName		2
HKLM\SOFTWARE\CLASSES\CLSID\{A4741943-6C4B-4CF7-BF44-A0F4207D1330}\INPROCSERVER32		C:\WINDOWS\system32\urlmon.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{A4741943-6C4B-4CF7-BF44-A0F4207D1330}\INPROCSERVER32	ThreadingModel	Apartment	1
HKLM\SOFTWARE\CLASSES\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\INPROCSERVER32		shell32.dll	1
HKLM\SOFTWARE\CLASSES\HTTP	URL Protocol		1
HKLM\SOFTWARE\CLASSES\HTTP\SHELL		open	3
HKLM\SOFTWARE\CLASSES\HTTP\SHELL\OPEN\COMMAND		"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome	3
HKLM\SOFTWARE\CLASSES\HTTP\SHELL\OPEN\DDEEXEC		"%1",,-1,0,,,,	1
HKLM\SOFTWARE\CLASSES\HTTP\SHELL\OPEN\DDEEXEC	NoActivateHandler		1
HKLM\SOFTWARE\CLASSES\HTTP\SHELL\OPEN\DDEEXEC\APPLICATION		IExplore	1
HKLM\SOFTWARE\CLASSES\HTTP\SHELL\OPEN\DDEEXEC\TOPIC		WWW_OpenURL	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{000214E6-0000-0000-C000-000000000046}\PROXYSTUBCLSID32		{bf50b68e-29b8-4386-ae9c-9734d5117cd5}	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\PROXYSTUBCLSID32		{B8DA6310-E19B-11D0-933C-00A0C90DCAA9}	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\PROXYSTUBCLSID32		{bf50b68e-29b8-4386-ae9c-9734d5117cd5}	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{B722BCCB-4E68-101B-A2BC-00AA00404770}\PROXYSTUBCLSID32		{B8DA6310-E19B-11D0-933C-00A0C90DCAA9}	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TYPELIB		{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}	1
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\	CUAS	0	1
HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup	IExploreLastModifiedHigh	29887276	1
HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup	IExploreLastModifiedLow	2933474304	1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE		C:\Program Files\Internet Explorer\IEXPLORE.EXE	1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EnablePunycode	1	1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	UrlEncoding	0x00000000	2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	.NET CLR 1.1.4322		1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	.NET CLR 2.0.50727		1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	.NET CLR 3.0.04506.30		1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	InfoPath.1		1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\UA Tokens			1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\UA Tokens	MSN 2.0		1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\UA Tokens	MSN 2.5		1
HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters	Transports	0x5400630070006900700000004e0065007400420049004f00530000000000	2
HKLM\SYSTEM\Setup	SystemSetupInProgress	0	1
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	2
HKLM\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32		C:\WINDOWS\system32\ieframe.dll	3
HKLM\Software\Classes\CLSID\{a4741943-6c4b-4cf7-bf44-a0f4207d1330}\InProcServer32		C:\WINDOWS\system32\urlmon.dll	1
HKLM\Software\Microsoft\COM3	Com+Enabled	1	2
HKLM\Software\Microsoft\COM3	REGDBVersion	0x0f00000000000000	6
HKLM\Software\Microsoft\Tracing	EnableConsoleTracing	0	1
HKLM\Software\Microsoft\Tracing\RASAPI32	ConsoleTracingMask	4294901760	2
HKLM\Software\Microsoft\Tracing\RASAPI32	EnableConsoleTracing	0	2
HKLM\Software\Microsoft\Tracing\RASAPI32	EnableFileTracing	0	2
HKLM\Software\Microsoft\Tracing\RASAPI32	FileDirectory	%windir%\tracing	4
HKLM\Software\Microsoft\Tracing\RASAPI32	FileTracingMask	4294901760	2
HKLM\Software\Microsoft\Tracing\RASAPI32	MaxFileSize	1048576	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	AllUsersProfile	All Users	1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	DefaultUserProfile	Default User	1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	ProfilesDirectory	%SystemDrive%\Documents and Settings	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1229272821-1004336348-527237240-1003	ProfileImagePath	%SystemDrive%\Documents and Settings\user	1
HKLM\Software\Microsoft\Windows\CurrentVersion	CommonFilesDir	C:\Program Files\Common Files	1
HKLM\Software\Microsoft\Windows\CurrentVersion	ProgramFilesDir	C:\Program Files	1
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE	PATH	C:\Program Files\Internet Explorer;	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks	{AEB6717E-7E19-11d0-97EE-00C04FD91972}		1
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Common AppData	%ALLUSERSPROFILE%\Application Data	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	PerUserItem	1	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	PerUserItem	1	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	PerUserItem	1	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\msn.com			1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\msn.com\related	http	4	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	USER	2
HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	wheel	1	1
HKLM\System\CurrentControlSet\Control\ProductOptions	ProductType	WinNT	1
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	ComSpec	%SystemRoot%\system32\cmd.exe	2
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	FP_NO_HOST_CHECK	NO	2
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	NUMBER_OF_PROCESSORS	1	2
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	OS	Windows_NT	2
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH	2
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_ARCHITECTURE	x86	2
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_IDENTIFIER	x86 Family 6 Model 3 Stepping 3, GenuineIntel	2
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_LEVEL	6	2
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_REVISION	0303	2
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	Path	%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem	2
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	TEMP	%SystemRoot%\TEMP	2
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	TMP	%SystemRoot%\TEMP	2
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	windir	%SystemRoot%	2
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	HelperDllName	%SystemRoot%\System32\wshtcpip.dll	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	Mapping	0x0b0000000300000002000000010000000600000002000000010000000000	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MaxSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MinSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	UseDelayedAcceptance	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1012	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	11	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\Setup	SystemSetupInProgress	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Environment	TEMP	%USERPROFILE%\Local Settings\Temp	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Environment	TMP	%USERPROFILE%\Local Settings\Temp	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	CertificateRevocation	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	DisableCachingOfSSLPages	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EnableHttp1_1	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EnableNegotiate	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	MimeExclusionListForCache	multipart/mixed multipart/x-mixed-replace multipart/x-byteranges	4
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SecureProtocols	160	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Win32)	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WarnOnPost	0x01000000	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WarnOnZoneCrossing	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon	ParseAutoexec	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\user\Local Settings\Temporary Internet Files	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Cache	%USERPROFILE%\Local Settings\Temporary Internet Files	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Cookies	%USERPROFILE%\Cookies	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	History	%USERPROFILE%\Local Settings\History	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Local Settings	%USERPROFILE%\Local Settings	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Personal	%USERPROFILE%\My Documents	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache	Signature	Client UrlCache MMF Ver 5.2	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	CacheLimit	163410	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	CachePrefix		2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	CacheLimit	8192	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	CachePrefix	Cookie:	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008051620080517	CacheLimit	8192	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008051620080517	CacheOptions	11	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008051620080517	CachePath	%USERPROFILE%\Local Settings\History\History.IE5\MSHist012008051620080517	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008051620080517	CachePrefix	:2008051620080517:	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008051620080517	CacheRepair	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CacheLimit	1000	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CacheOptions	8	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CachePath	%USERPROFILE%\UserData	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CachePrefix	UserData	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CacheRepair	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CacheLimit	8192	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CacheOptions	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CachePath	%USERPROFILE%\Local Settings\Application Data\Microsoft\Feeds Cache	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CachePrefix	feedplat:	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CacheRepair	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	CacheLimit	8192	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	CachePrefix	Visited:	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AutoDetect	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\			1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	@ivt	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	file	3	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	ftp	3	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	http	3	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	https	3	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	shell	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	Flags	33	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	Flags	475	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	Flags	71	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	Flags	1	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	Flags	3	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0x401	0x01000000310032003a893fef1312c801	3
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache	LangID	0x0904	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\	C:\Program Files\Internet Explorer\IEXPLORE.EXE	Internet Explorer	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	APPDATA	C:\Documents and Settings\user\Application Data	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	CLIENTNAME		2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	HOMEDRIVE	C:	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	HOMEPATH	\Documents and Settings\user	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	HOMESHARE		2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	LOGONSERVER	\\USER	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	SESSIONNAME	Console	2

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\Software\Classes	1	Key Change,Value Change	3
HKLM\Software\Classes\CLSID	1	Key Change,Value Change	2
HKLM\Software\Microsoft\COM3	1	Key Change,Value Change	6
HKLM\Software\Microsoft\Tracing\RASAPI32	0	Attributes Change,Value Change,Security Descriptor Change	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1
HKU	1	Key Change,Value Change	3

2.b) sample.exe - File Activities

	- Files Read:

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\Registration\R00000000000f.clb

PIPE\lsarpc

PIPE\wkssvc

c:\autoexec.bat

	- Files Modified:

PIPE\lsarpc

PIPE\wkssvc

WMIDataDevice

\Device\Afd\Endpoint

	- File System Control Communication:

File	Control Code	Times
PIPE\wkssvc	0x0011C017	1
PIPE\lsarpc	0x0011C017	11

	- Device Control Communication:

File	Control Code	Times
unnamed file	0x00390008	7
WMIDataDevice	0x0022414C	4
WMIDataDevice	0x00228144	4
WMIDataDevice	0x0022415C	2
WMIDataDevice	0x00228168	2
\Device\Afd\Endpoint	AFD_GET_INFO (0x0001207B)	2
\Device\Afd\Endpoint	AFD_SET_CONTEXT (0x00012047)	3
\Device\Afd\Endpoint	AFD_BIND (0x00012003)	1
\Device\Afd\Endpoint	AFD_GET_TDI_HANDLES (0x00012037)	2
\Device\Afd\Endpoint	AFD_GET_SOCK_NAME (0x0001202F)	2
\Device\Afd\Endpoint	AFD_CONNECT (0x00012007)	1
\Device\Afd\Endpoint	AFD_SELECT (0x00012024)	1

	- Memory Mapped Files:

File Name

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\wshtcpip.dll

C:\WINDOWS\system32\CLBCATQ.DLL

C:\WINDOWS\system32\COMRes.dll

C:\WINDOWS\system32\HLINK.DLL

C:\WINDOWS\system32\MSCTF.dll

C:\WINDOWS\system32\PSAPI.DLL

C:\WINDOWS\system32\RASAPI32.dll

C:\WINDOWS\system32\SHELL32.dll

C:\WINDOWS\system32\TAPI32.dll

C:\WINDOWS\system32\UxTheme.dll

C:\WINDOWS\system32\WINMM.dll

C:\WINDOWS\system32\WS2HELP.dll

C:\WINDOWS\system32\comctl32.dll

C:\WINDOWS\system32\en-US\ieframe.dll.mui

C:\WINDOWS\system32\hnetcfg.dll

C:\WINDOWS\system32\ieframe.dll

C:\WINDOWS\system32\mswsock.dll

C:\WINDOWS\system32\rasman.dll

C:\WINDOWS\system32\rpcss.dll

C:\WINDOWS\system32\rtutils.dll

C:\WINDOWS\system32\ws2_32.dll

C:\Windows\AppPatch\sysmain.sdb

2.c) sample.exe - Process Activities

	- Processes Created:

Executable	Command Line
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE	"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

	- Remote Threads Created:

Affected Process

C:\Program Files\Internet Explorer\IEXPLORE.EXE

	- Thread Overview:

Time	Number of threads
After 57 seconds	1
After 184 seconds	0
After 194 seconds	1
After 196 seconds	0
After 216 seconds	1

	- Foreign Memory Regions Read:

Process: C:\Program Files\Internet Explorer\IEXPLORE.EXE

	- Foreign Memory Regions Written:

Process: C:\Program Files\Internet Explorer\IEXPLORE.EXE

2.d) sample.exe - Network Activity

3. IEXPLORE.EXE

	- General information about this executable

Analysis Reason:	Started by sample.exe
Filename:	IEXPLORE.EXE
MD5:	e854d02e4231f704d9be782a424e6d8b
SHA-1:	2c245f66b8c984ec5d8d65175fe5832e2cfb62f8
File Size:	625152 Bytes
Command Line:	"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\urlmon.dll	0x42CF0000	0x00127000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\iertutil.dll	0x42990000	0x00045000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\xpsp2res.dll	0x00BC0000	0x002C5000
C:\WINDOWS\system32\Normaliz.dll	0x018A0000	0x00009000
C:\Program Files\Microsoft Office\OFFICE11\msohev.dll	0x325C0000	0x00012000
C:\WINDOWS\system32\WININET.dll	0x42C10000	0x000CF000
C:\WINDOWS\system32\IEFRAME.dll	0x42EF0000	0x005CD000
C:\WINDOWS\system32\xmllite.dll	0x47060000	0x00021000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\gdiplus.dll	0x4EC50000	0x001A6000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\IEUI.dll	0x5DFF0000	0x0002F000
C:\Program Files\Internet Explorer\ieproxy.dll	0x61930000	0x0004A000
C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll	0x6D7C0000	0x00079000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\ws2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\msimtf.dll	0x746F0000	0x0002A000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\msctfime.ime	0x755C0000	0x0002E000
C:\WINDOWS\system32\MLANG.dll	0x75CF0000	0x00091000
C:\WINDOWS\system32\MSIMG32.dll	0x76380000	0x00005000
C:\WINDOWS\System32\CSCDLL.dll	0x76600000	0x0001D000
C:\WINDOWS\system32\PSAPI.DLL	0x76BF0000	0x0000B000
C:\Program Files\Internet Explorer\custsat.dll	0x76CC0000	0x0000B000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000
C:\WINDOWS\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\System32\cscui.dll	0x77A20000	0x00054000
C:\WINDOWS\system32\apphelp.dll	0x77B40000	0x00022000
C:\Program Files\Java\jre1.6.0_03\bin\MSVCR71.dll	0x7C340000	0x00056000

3.a) IEXPLORE.EXE - Registry Activities

	- Registry Keys Created:

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBB}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\InprocServer32

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBB}

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBB}\InprocServer32

	- Registry Keys Deleted: