anubis left
Anubis - Analysis Report
anubis right

Analysis Report for 72992ab286ef3e4329890029303d570c-651ee1f8de21378db4d49ece4d2776f7-1359381592

Comment on this report

Table of Contents

expand all expand all   collapse all collapse all

1. General Information

  - Information about Anubis' invocation  
Time needed: 249 s 
Report created: 01/28/13, 14:03:01 UTC 
Termination reason: Timeout 
Program version: 1.76.3886 

1.a) - Network Activity

  -  HTTP Conversations:  
From ANUBIS:1087 to 50.116.103.67:80 - [mytamilmagazine.net]
Request: GET /q.htm?uT5JYibIM7F26CWJMrIHJK7Rjg4s5xD
Response: 404 "Not Found"

2. 72992ab286.exe

  - General information about this executable  
Analysis Reason: Primary Analysis Subject 
Filename: 72992ab286.exe 
MD5: b83a6d31726c6f790772ad885f5ba69c 
SHA-1: 81e366767ff77f42f52a56e61d81e7d14091f6bc 
File Size: 40448 Bytes
Command Line: "C:\72992ab286.exe" 
Process-status at analysis end: dead 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​MSVCRT.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​USER32.DLL  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​WSOCK32.DLL  0x71AD0000  0x00009000 
C:\​WINDOWS\​system32\​WS2_32.dll  0x71AB0000  0x00017000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​WS2HELP.dll  0x71AA0000  0x00008000 
C:\​WINDOWS\​system32\​WINMM.DLL  0x76B40000  0x0002D000 

  - Run-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​uxtheme.dll  0x5AD70000  0x00038000 
C:\​WINDOWS\​system32\​COMCTL32.DLL  0x5D090000  0x0009A000 
C:\​WINDOWS\​system32\​msimg32.dll  0x76380000  0x00005000 

2.a) 72992ab286.exe - Registry Activities

  - Registry Values Read:  
Key Name Value Times
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Windows  AppInit_DLLs   
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  AuthenticodeEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  DefaultLevel  262144 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  PolicyScope 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemData  0x5eab304f957a49896a006c1c31154015 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemSize  779 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemData  0x67b0d48b343a3fd3bce9dc646704f394 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemSize  517 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemData  0x327802dcfef8c893dc8ab006dd847d1d 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemSize  918 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemData  0xbd9a2adb42ebd8560e250e4df8162f67 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemSize  229 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemData  0x386b085f84ecf669d36b956a22c01e80 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemSize  370 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  ItemData  %HKEY_CURRENT_USER\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders\​Cache%OLK* 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  SaferFlags 
HKLM\​System\​CurrentControlSet\​Control\​MediaProperties\​PrivateProperties\​Joystick\​Winmm  wheel 
HKLM\​System\​CurrentControlSet\​Control\​Terminal Server  TSAppCompat 
HKLM\​System\​CurrentControlSet\​Control\​Terminal Server  TSUserEnabled 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cache  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files 

2.b) 72992ab286.exe - File Activities

  - Files Read:  
c:\72992ab286.exe

  - File System Control Communication:  
File Control Code Times
C:\Program Files\Common Files\  0x00090028 

  - Memory Mapped Files:  
File Name
C:\WINDOWS\system32\COMCTL32.DLL
C:\WINDOWS\system32\WINMM.DLL
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WSOCK32.DLL
C:\WINDOWS\system32\msimg32.dll
C:\WINDOWS\system32\uxtheme.dll
c:\72992ab286.exe

2.c) 72992ab286.exe - Process Activities

  - Processes Created:  
Executable Command Line
c:\72992ab286.exe   
c:\72992ab286.exe   

  - Remote Threads Created:  
Affected Process
c:\72992ab286.exe

  - Foreign Memory Regions Read:  
Process: c:\72992ab286.exe

  - Foreign Memory Regions Written:  
Process: c:\72992ab286.exe

2.d) 72992ab286.exe - Other Activities

  - Windows SEH exceptions:  
Description Times
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x77c47613 

3. 72992ab286.exe

  - General information about this executable  
Analysis Reason: Started by 72992ab286.exe 
Filename: 72992ab286.exe 
MD5: b83a6d31726c6f790772ad885f5ba69c 
SHA-1: 81e366767ff77f42f52a56e61d81e7d14091f6bc 
File Size: 40448 Bytes
Command Line: "c:\72992ab286.exe" 
Process-status at analysis end: alive 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 

  - Run-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​NETAPI32.dll  0x5B860000  0x00055000 
C:\​WINDOWS\​system32\​comctl32.dll  0x5D090000  0x0009A000 
C:\​WINDOWS\​system32\​hnetcfg.dll  0x662B0000  0x00058000 
C:\​WINDOWS\​System32\​mswsock.dll  0x71A50000  0x0003F000 
C:\​WINDOWS\​System32\​wshtcpip.dll  0x71A90000  0x00008000 
C:\​WINDOWS\​system32\​WS2HELP.dll  0x71AA0000  0x00008000 
C:\​WINDOWS\​system32\​WS2_32.dll  0x71AB0000  0x00017000 
C:\​WINDOWS\​system32\​wsock32.dll  0x71AD0000  0x00009000 
C:\​WINDOWS\​system32\​sensapi.dll  0x722B0000  0x00005000 
C:\​WINDOWS\​system32\​USERENV.dll  0x769C0000  0x000B4000 
C:\​WINDOWS\​system32\​WINMM.dll  0x76B40000  0x0002D000 
C:\​WINDOWS\​system32\​rtutils.dll  0x76E80000  0x0000E000 
C:\​WINDOWS\​system32\​rasman.dll  0x76E90000  0x00012000 
C:\​WINDOWS\​system32\​TAPI32.dll  0x76EB0000  0x0002F000 
C:\​WINDOWS\​system32\​RASAPI32.DLL  0x76EE0000  0x0003C000 
C:\​WINDOWS\​system32\​DNSAPI.dll  0x76F20000  0x00027000 
C:\​WINDOWS\​system32\​rasadhlp.dll  0x76FC0000  0x00006000 
C:\​WINDOWS\​system32\​OLEAUT32.dll  0x77120000  0x0008B000 
C:\​WINDOWS\​system32\​wininet.dll  0x771B0000  0x000AA000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll  0x773D0000  0x00103000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 
C:\​WINDOWS\​system32\​CRYPT32.dll  0x77A80000  0x00095000 
C:\​WINDOWS\​system32\​MSASN1.dll  0x77B20000  0x00012000 
C:\​WINDOWS\​system32\​VERSION.dll  0x77C00000  0x00008000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​shell32.dll  0x7C9C0000  0x00817000 
C:\​WINDOWS\​system32\​urlmon.dll  0x7E1E0000  0x000A2000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 

3.a) 72992ab286.exe - Registry Activities

  - Registry Values Modified:  
Key Name New Value
HKLM\​SYSTEM\​CURRENTCONTROLSET\​HARDWARE PROFILES\​CURRENT\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  info ProxyEnable 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Common AppData  C:\​Documents and Settings\​All Users\​Application Data 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths  info Directory  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths  info Paths 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path1  info CacheLimit  40852 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path1  info CachePath  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5\​Cache1 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path2  info CacheLimit  40852 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path2  info CachePath  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5\​Cache2 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path3  info CacheLimit  40852 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path3  info CachePath  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5\​Cache3 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path4  info CacheLimit  40852 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path4  info CachePath  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5\​Cache4 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  AppData  C:\​Documents and Settings\​Administrator\​Application Data 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cache  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cookies  C:\​Documents and Settings\​Administrator\​Cookies 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  History  C:\​Documents and Settings\​Administrator\​Local Settings\​History 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  info IntranetName 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  info ProxyBypass 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  info UNCAsIntranet 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  info MigrateProxy 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  info ProxyEnable 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings\​Connections  info SavedLegacySettings  0x3c0000001600000001000000000000000000000000000000040000000000 

  - Registry Values Read:  
Key Name Value Times
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  UrlEncoding  0x00000000 
HKLM\​SYSTEM\​CurrentControlSet\​Control\​Session Manager  CriticalSectionTimeout  2592000 
HKLM\​SYSTEM\​CurrentControlSet\​Services\​Winsock\​Parameters  Transports  0x5400630070006900700000004e0065007400420049004f00530000000000 
HKLM\​SYSTEM\​Setup  SystemSetupInProgress 
HKLM\​Software\​Microsoft\​Internet Explorer\​Main\​FeatureControl\​FEATURE_BEHAVIORS 
HKLM\​Software\​Microsoft\​Internet Explorer\​Main\​FeatureControl\​FEATURE_DISABLE_MK_PROTOCOL 
HKLM\​Software\​Microsoft\​Tracing  EnableConsoleTracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  ConsoleTracingMask  4294901760 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  EnableConsoleTracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  EnableFileTracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  FileDirectory  %windir%\​tracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  FileTracingMask  4294901760 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  MaxFileSize  1048576 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList  AllUsersProfile  All Users 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList  DefaultUserProfile  Default User 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList  ProfilesDirectory  %SystemDrive%\​Documents and Settings 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList\​S-1-5-21-842925246-1425521274-308236825-500  ProfileImagePath  %SystemDrive%\​Documents and Settings\​Administrator 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Windows  AppInit_DLLs   
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion  CommonFilesDir  C:\​Program Files\​Common Files 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion  ProgramFilesDir  C:\​Program Files 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Common AppData  %ALLUSERSPROFILE%\​Application Data 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 
HKLM\​System\​CurrentControlSet\​Control\​ComputerName\​ActiveComputerName  ComputerName  PC 
HKLM\​System\​CurrentControlSet\​Control\​MediaProperties\​PrivateProperties\​Joystick\​Winmm  wheel 
HKLM\​System\​CurrentControlSet\​Control\​ProductOptions  ProductType  WinNT 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  ComSpec  %SystemRoot%\​system32\​cmd.exe 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  FP_NO_HOST_CHECK  NO 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  NUMBER_OF_PROCESSORS 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  OS  Windows_NT 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PATHEXT  .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_ARCHITECTURE  x86 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_IDENTIFIER  x86 Family 6 Model 3 Stepping 3, GenuineIntel 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_LEVEL 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_REVISION  0303 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  Path  %SystemRoot%\​system32;%SystemRoot%;%SystemRoot%\​System32\​Wbem 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  TEMP  %SystemRoot%\​TEMP 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  TMP  %SystemRoot%\​TEMP 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  windir  %SystemRoot% 
HKLM\​System\​CurrentControlSet\​Control\​Terminal Server  TSAppCompat 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  Domain   
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  Hostname  pc 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  UseDomainNameDevolution 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  HelperDllName  %SystemRoot%\​System32\​wshtcpip.dll 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  Mapping  0x0b0000000300000002000000010000000600000002000000010000000000 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  MaxSockaddrLength  16 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  MinSockaddrLength  16 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  UseDelayedAcceptance 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters  WinSock_Registry_Version  2.0 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5  Num_Catalog_Entries 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5  Serial_Access_Num 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  DisplayString  Tcpip 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  Enabled 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  LibraryPath  %SystemRoot%\​System32\​mswsock.dll 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  ProviderId  0x409d05229e7ecf11ae5a00aa00a7112b 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  StoresServiceClassInfo 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  SupportedNameSpace  12 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  Version 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  DisplayString  NTDS 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  Enabled 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  LibraryPath  %SystemRoot%\​System32\​winrnr.dll 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  ProviderId  0xee37263b80e5cf11a55500c04fd8d4ac 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  StoresServiceClassInfo 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  SupportedNameSpace  32 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  Version 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  DisplayString  Network Location Awareness (NLA) Namespace 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  Enabled 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  LibraryPath  %SystemRoot%\​System32\​mswsock.dll 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  ProviderId  0x3a244266a83ba64abaa52e0bd71fdd83 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  StoresServiceClassInfo 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  SupportedNameSpace  15 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  Version 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Next_Catalog_Entry_ID  1020 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Num_Catalog_Entries  13 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Serial_Access_Num 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000001  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000002  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000003  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000004  PackedCatalogItem  %SystemRoot%\​system32\​rsvpsp.d 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000005  PackedCatalogItem  %SystemRoot%\​system32\​rsvpsp.d 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000006  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000007  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000008  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000009  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000010  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000011  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000012  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000013  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​Setup  SystemSetupInProgress 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Environment  TEMP  %USERPROFILE%\​Local Settings\​Temp 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Environment  TMP  %USERPROFILE%\​Local Settings\​Temp 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  EnableHttp1_1 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  EnableNegotiate 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  MimeExclusionListForCache  multipart/mixed multipart/x-mixed-replace multipart/x-byteranges  
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  WarnOnPost  0x01000000 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Winlogon  ParseAutoexec 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  AppData  %USERPROFILE%\​Application Data 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Cache  %USERPROFILE%\​Local Settings\​Temporary Internet Files 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Cookies  %USERPROFILE%\​Cookies 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  History  %USERPROFILE%\​Local Settings\​History 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Local Settings  %USERPROFILE%\​Local Settings 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Personal  %USERPROFILE%\​My Documents 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache  Signature  Client UrlCache MMF Ver 5.2 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Content  CacheLimit  163410 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Content  CachePrefix   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Content  PerUserItem 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Cookies  CacheLimit  8192 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Cookies  CachePrefix  Cookie: 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Cookies  PerUserItem 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021720110218  CacheLimit  8192 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021720110218  CacheOptions  11 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021720110218  CachePath  %USERPROFILE%\​Local Settings\​History\​History.IE5\​MSHist012011021720110218\​ 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021720110218  CachePrefix  :2011021720110218:  
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021720110218  CacheRepair 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021820110219  CacheLimit  8192 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021820110219  CacheOptions  11 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021820110219  CachePath  %USERPROFILE%\​Local Settings\​History\​History.IE5\​MSHist012011021820110219\​ 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021820110219  CachePrefix  :2011021820110219:  
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021820110219  CacheRepair 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​History  CacheLimit  8192 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​History  CachePrefix  Visited: 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​History  PerUserItem 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  IntranetName  16 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  ProxyBypass  16 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​\​ProtocolDefaults\​  http  16 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​0  Flags  33 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​1  Flags  219 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​2  Flags  71 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​3  1A10 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​3  Flags 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​4  Flags 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  MigrateProxy 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  ProxyEnable 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings\​Connections  DefaultConnectionSettings  0x3c0000000300000001000000000000000000000000000000040000000000 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings\​Connections  SavedLegacySettings  0x3c0000001500000001000000000000000000000000000000040000000000 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  APPDATA  C:\​Documents and Settings\​Administrator\​Application Data 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  CLIENTNAME  Console 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  HOMEDRIVE  C: 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  HOMEPATH  \​Documents and Settings\​Administrator 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  HOMESHARE   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  LOGONSERVER  \​\​PC 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  SESSIONNAME  Console 

  - Monitored Registry Keys:  
Key Name Watch subtree Notify Filter Count
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  Attributes Change,Value Change,Security Descriptor Change 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5  Key Change 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Key Change 

3.b) 72992ab286.exe - File Activities

  - Files Read:  
PIPE\lsarpc
c:\72992ab286.exe
c:\autoexec.bat

  - Files Modified:  
PIPE\lsarpc
\Device\Afd\Endpointinfo
\Device\RasAcdinfo

  - File System Control Communication:  
File Control Code Times
C:\Program Files\Common Files\  0x00090028 
PIPE\lsarpc  0x0011C017  19 

  - Device Control Communication:  
File Control Code Times
\Device\KsecDD  0x00390008 
\Device\Afd\Endpoint  AFD_GET_INFO (0x0001207B) 
\Device\Afd\Endpoint  AFD_SET_CONTEXT (0x00012047)  394 
\Device\Afd\Endpoint  AFD_BIND (0x00012003)  59 
\Device\Afd\Endpoint  AFD_GET_TDI_HANDLES (0x00012037)  118 
\Device\Afd\Endpoint  AFD_GET_SOCK_NAME (0x0001202F)  59 
\Device\Afd\Endpoint  AFD_CONNECT (0x00012007)  59 
unnamed file  0x00120028  59 
\Device\Afd\Endpoint  AFD_SEND (0x0001201F)  90 
\Device\Afd\Endpoint  AFD_RECV (0x00012017)  196 
\Device\Afd\Endpoint  AFD_SET_INFO (0x0001203B)  217 
\Device\Afd\Endpoint  AFD_DISCONNECT (0x0001202B)  28 

  - Memory Mapped Files:  
File Name
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\System32\wshtcpip.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\system32\RASAPI32.DLL
C:\WINDOWS\system32\TAPI32.dll
C:\WINDOWS\system32\WINMM.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\hnetcfg.dll
C:\WINDOWS\system32\rasadhlp.dll
C:\WINDOWS\system32\rasman.dll
C:\WINDOWS\system32\rtutils.dll
C:\WINDOWS\system32\sensapi.dll
C:\WINDOWS\system32\shell32.dll
C:\WINDOWS\system32\urlmon.dll
C:\WINDOWS\system32\wininet.dll
C:\WINDOWS\system32\wsock32.dll

3.c) 72992ab286.exe - Network Activity

  - DNS Queries:  
Name Query Type Query Result Successful Protocol
thueringen.bdlo.de  DNS_TYPE_A  82.165.90.252  YES  udp 
houstongeneraltradinggroup.com  DNS_TYPE_A  184.173.23.142  YES  udp 
instructivodogui.com.ar  DNS_TYPE_A  205.186.175.142  YES  udp 
piano-secrets.com  DNS_TYPE_A  67.222.51.191  YES  udp 
mytamilmagazine.net  DNS_TYPE_A  50.116.103.67  YES  udp 

  -  HTTP Conversations:  
From ANUBIS:1028 to 82.165.90.252:80 - [thueringen.bdlo.de]
Request: GET /d.htm?zv6KZ1T6WKphAp6nLllJQRXVnOlG9sVc
Response: 404 "Not Found"
Request: GET /d.htm?zv6KZ1T6WKphAp6nLllJQRXVnOlG9sVc
Response: 404 "Not Found"
From ANUBIS:1029 to 184.173.23.142:80 - [houstongeneraltradinggroup.com]
Request: GET /x.htm?rGZMsFSJ5J6blYJUPL7X
Response: 404 "Not Found"
From ANUBIS:1030 to 205.186.175.142:80 - [instructivodogui.com.ar]
Request: GET /b.htm?heZg4KzGMWwfIcWcP4DsYikrdlb
Response: 404 "Not Found"
Request: GET /b.htm?heZg4KzGMWwfIcWcP4DsYikrdlb
Response: 404 "Not Found"
From ANUBIS:1031 to 184.173.23.142:80 - [houstongeneraltradinggroup.com]
Request: GET /x.htm?rGZMsFSJ5J6blYJUPL7X
Response: 404 "Not Found"
From ANUBIS:1032 to 67.222.51.191:80 - [piano-secrets.com]
Request: GET /i.htm?7tEhYb3repxi4DthjGlUdzE1fcHEPHgiz
Response: 404 "Not Found"
Request: GET /i.htm?7tEhYb3repxi4DthjGlUdzE1fcHEPHgiz
Response: 404 "Not Found"
Request: GET /i.htm?7tEhYb3repxi4DthjGlUdzE1fcHEPHgiz
Response: 404 "Not Found"
Request: GET /i.htm?7tEhYb3repxi4DthjGlUdzE1fcHEPHgiz
Response: 404 "Not Found"
Request: GET /i.htm?7tEhYb3repxi4DthjGlUdzE1fcHEPHgiz
Response: 404 "Not Found"
Request: GET /i.htm?7tEhYb3repxi4DthjGlUdzE1fcHEPHgiz
Response: 404 "Not Found"
From ANUBIS:1033 to 82.165.90.252:80 - [thueringen.bdlo.de]
Request: GET /d.htm?zv6KZ1T6WKphAp6nLllJQRXVnOlG9sVc
Response: 404 "Not Found"
From ANUBIS:1034 to 184.173.23.142:80 - [houstongeneraltradinggroup.com]
Request: GET /x.htm?rGZMsFSJ5J6blYJUPL7X
Response: 404 "Not Found"
From ANUBIS:1035 to 50.116.103.67:80 - [mytamilmagazine.net]
Request: GET /q.htm?uT5JYibIM7F26CWJMrIHJK7Rjg4s5xD
Response: 404 "Not Found"
Request: GET /q.htm?uT5JYibIM7F26CWJMrIHJK7Rjg4s5xD
Response: 404 "Not Found"
Request: GET /q.htm?uT5JYibIM7F26CWJMrIHJK7Rjg4s5xD
Response: 404 "Not Found"
From ANUBIS:1036 to 184.173.23.142:80 - [houstongeneraltradinggroup.com]
Request: GET /x.htm?rGZMsFSJ5J6blYJUPL7X
Response: 404 "Not Found"
From ANUBIS:1037 to 82.165.90.252:80 - [thueringen.bdlo.de]
Request: GET /d.htm?zv6KZ1T6WKphAp6nLllJQRXVnOlG9sVc
Response: 404 "Not Found"
From ANUBIS:1038 to 184.173.23.142:80 - [houstongeneraltradinggroup.com]
Request: GET /x.htm?rGZMsFSJ5J6blYJUPL7X
Response: 404 "Not Found"
From ANUBIS:1039 to 82.165.90.252:80 - [thueringen.bdlo.de]
Request: GET /d.htm?zv6KZ1T6WKphAp6nLllJQRXVnOlG9sVc
Response: 404 "Not Found"
From ANUBIS:1040 to 184.173.23.142:80 - [houstongeneraltradinggroup.com]
Request: GET /x.htm?rGZMsFSJ5J6blYJUPL7X
Response: 404 "Not Found"
From ANUBIS:1041 to 184.173.23.142:80 - [houstongeneraltradinggroup.com]
Request: GET /x.htm?rGZMsFSJ5J6blYJUPL7X
Response: 404 "Not Found"
From ANUBIS:1042 to 50.116.103.67:80 - [mytamilmagazine.net]
Request: GET /q.htm?uT5JYibIM7F26CWJMrIHJK7Rjg4s5xD
Response: 404 "Not Found"
Request: GET /q.htm?uT5JYibIM7F26CWJMrIHJK7Rjg4s5xD
Response: 404 "Not Found"
Request: GET /q.htm?uT5JYibIM7F26CWJMrIHJK7Rjg4s5xD
Response: 404 "Not Found"
Request: GET /q.htm?uT5JYibIM7F26CWJMrIHJK7Rjg4s5xD
Response: 404 "Not Found"
From ANUBIS:1043 to 184.173.23.142:80 - [houstongeneraltradinggroup.com]
Request: GET /x.htm?rGZMsFSJ5J6blYJUPL7X
Response: 404 "Not Found"
From ANUBIS:1044 to 205.186.175.142:80 - [instructivodogui.com.ar]
Request: GET /b.htm?heZg4KzGMWwfIcWcP4DsYikrdlb
Response: 404 "Not Found"
From ANUBIS:1045 to 82.165.90.252:80 - [thueringen.bdlo.de]
Request: GET /d.htm?zv6KZ1T6WKphAp6nLllJQRXVnOlG9sVc
Response: 404 "Not Found"
From ANUBIS:1046 to 82.165.90.252:80 - [thueringen.bdlo.de]
Request: GET /d.htm?zv6KZ1T6WKphAp6nLllJQRXVnOlG9sVc
Response: 404 "Not Found"
Request: GET /d.htm?zv6KZ1T6WKphAp6nLllJQRXVnOlG9sVc
Response: <no reply>
From ANUBIS:1047 to 82.165.90.252:80 - [thueringen.bdlo.de]
Request: GET /d.htm?zv6KZ1T6WKphAp6nLllJQRXVnOlG9sVc
Response: 404 "Not Found"
From ANUBIS:1048 to 205.186.175.142:80 - [instructivodogui.com.ar]
Request: GET /b.htm?heZg4KzGMWwfIcWcP4DsYikrdlb
Response: 404 "Not Found"
From ANUBIS:1049 to 82.165.90.252:80 - [thueringen.bdlo.de]
Request: GET /d.htm?zv6KZ1T6WKphAp6nLllJQRXVnOlG9sVc
Response: 404 "Not Found"
Request: GET /d.htm?zv6KZ1T6WKphAp6nLllJQRXVnOlG9sVc
Response: 404 "Not Found"
From ANUBIS:1050 to 67.222.51.191:80 - [piano-secrets.com]
Request: GET /i.htm?7tEhYb3repxi4DthjGlUdzE1fcHEPHgiz
Response: 404 "Not Found"
From ANUBIS:1051 to 205.186.175.142:80 - [instructivodogui.com.ar]
Request: GET /b.htm?heZg4KzGMWwfIcWcP4DsYikrdlb
Response: 404 "Not Found"
From ANUBIS:1052 to 184.173.23.142:80 - [houstongeneraltradinggroup.com]
Request: GET /x.htm?rGZMsFSJ5J6blYJUPL7X
Response: 404 "Not Found"
From ANUBIS:1053 to 82.165.90.252:80 - [thueringen.bdlo.de]
Request: GET /d.htm?zv6KZ1T6WKphAp6nLllJQRXVnOlG9sVc
Response: 404 "Not Found"
From ANUBIS:1054 to 184.173.23.142:80 - [houstongeneraltradinggroup.com]
Request: GET /x.htm?rGZMsFSJ5J6blYJUPL7X
Response: 404 "Not Found"
From ANUBIS:1055 to 82.165.90.252:80 - [thueringen.bdlo.de]
Request: GET /d.htm?zv6KZ1T6WKphAp6nLllJQRXVnOlG9sVc
Response: 404 "Not Found"
Request: GET /d.htm?zv6KZ1T6WKphAp6nLllJQRXVnOlG9sVc
Response: 404 "Not Found"
From ANUBIS:1056 to 50.116.103.67:80 - [mytamilmagazine.net]
Request: GET /q.htm?uT5JYibIM7F26CWJMrIHJK7Rjg4s5xD
Response: 404 "Not Found"
From ANUBIS:1057 to 67.222.51.191:80 - [piano-secrets.com]
Request: GET /i.htm?7tEhYb3repxi4DthjGlUdzE1fcHEPHgiz
Response: 404 "Not Found"
From ANUBIS:1058 to 82.165.90.252:80 - [thueringen.bdlo.de]
Request: GET /d.htm?zv6KZ1T6WKphAp6nLllJQRXVnOlG9sVc
Response: 404 "Not Found"
From ANUBIS:1059 to 184.173.23.142:80 - [houstongeneraltradinggroup.com]
Request: GET /x.htm?rGZMsFSJ5J6blYJUPL7X
Response: 404 "Not Found"
From ANUBIS:1060 to 184.173.23.142:80 - [houstongeneraltradinggroup.com]
Request: GET /x.htm?rGZMsFSJ5J6blYJUPL7X
Response: 404 "Not Found"
From ANUBIS:1061 to 184.173.23.142:80 - [houstongeneraltradinggroup.com]
Request: GET /x.htm?rGZMsFSJ5J6blYJUPL7X
Response: 404 "Not Found"
From ANUBIS:1062 to 82.165.90.252:80 - [thueringen.bdlo.de]
Request: GET /d.htm?zv6KZ1T6WKphAp6nLllJQRXVnOlG9sVc
Response: 404 "Not Found"
Request: GET /d.htm?zv6KZ1T6WKphAp6nLllJQRXVnOlG9sVc
Response: 404 "Not Found"
From ANUBIS:1063 to 50.116.103.67:80 - [mytamilmagazine.net]
Request: GET /q.htm?uT5JYibIM7F26CWJMrIHJK7Rjg4s5xD
Response: 404 "Not Found"
From ANUBIS:1064 to 184.173.23.142:80 - [houstongeneraltradinggroup.com]
Request: GET /x.htm?rGZMsFSJ5J6blYJUPL7X
Response: 404 "Not Found"
From ANUBIS:1065 to 184.173.23.142:80 - [houstongeneraltradinggroup.com]
Request: GET /x.htm?rGZMsFSJ5J6blYJUPL7X
Response: 404 "Not Found"
From ANUBIS:1066 to 184.173.23.142:80 - [houstongeneraltradinggroup.com]
Request: GET /x.htm?rGZMsFSJ5J6blYJUPL7X
Response: 404 "Not Found"
From ANUBIS:1067 to 184.173.23.142:80 - [houstongeneraltradinggroup.com]
Request: GET /x.htm?rGZMsFSJ5J6blYJUPL7X
Response: 404 "Not Found"
From ANUBIS:1068 to 50.116.103.67:80 - [mytamilmagazine.net]
Request: GET /q.htm?uT5JYibIM7F26CWJMrIHJK7Rjg4s5xD
Response: 404 "Not Found"
From ANUBIS:1069 to 184.173.23.142:80 - [houstongeneraltradinggroup.com]
Request: GET /x.htm?rGZMsFSJ5J6blYJUPL7X
Response: 404 "Not Found"
From ANUBIS:1070 to 67.222.51.191:80 - [piano-secrets.com]
Request: GET /i.htm?7tEhYb3repxi4DthjGlUdzE1fcHEPHgiz
Response: 404 "Not Found"
Request: GET /i.htm?7tEhYb3repxi4DthjGlUdzE1fcHEPHgiz
Response: 404 "Not Found"
Request: GET /i.htm?7tEhYb3repxi4DthjGlUdzE1fcHEPHgiz
Response: 404 "Not Found"
From ANUBIS:1071 to 205.186.175.142:80 - [instructivodogui.com.ar]
Request: GET /b.htm?heZg4KzGMWwfIcWcP4DsYikrdlb
Response: 404 "Not Found"
From ANUBIS:1072 to 184.173.23.142:80 - [houstongeneraltradinggroup.com]
Request: GET /x.htm?rGZMsFSJ5J6blYJUPL7X
Response: 404 "Not Found"
From ANUBIS:1073 to 82.165.90.252:80 - [thueringen.bdlo.de]
Request: GET /d.htm?zv6KZ1T6WKphAp6nLllJQRXVnOlG9sVc
Response: 404 "Not Found"
Request: GET /d.htm?zv6KZ1T6WKphAp6nLllJQRXVnOlG9sVc
Response: <no reply>
From ANUBIS:1074 to 184.173.23.142:80 - [houstongeneraltradinggroup.com]
Request: GET /x.htm?rGZMsFSJ5J6blYJUPL7X
Response: 404 "Not Found"
From ANUBIS:1075 to 82.165.90.252:80 - [thueringen.bdlo.de]
Request: GET /d.htm?zv6KZ1T6WKphAp6nLllJQRXVnOlG9sVc
Response: 404 "Not Found"
Request: GET /d.htm?zv6KZ1T6WKphAp6nLllJQRXVnOlG9sVc
Response: 404 "Not Found"
Request: GET /d.htm?zv6KZ1T6WKphAp6nLllJQRXVnOlG9sVc
Response: <no reply>
From ANUBIS:1076 to 184.173.23.142:80 - [houstongeneraltradinggroup.com]
Request: GET /x.htm?rGZMsFSJ5J6blYJUPL7X
Response: 404 "Not Found"
From ANUBIS:1077 to 82.165.90.252:80 - [thueringen.bdlo.de]
Request: GET /d.htm?zv6KZ1T6WKphAp6nLllJQRXVnOlG9sVc
Response: 404 "Not Found"
From ANUBIS:1078 to 205.186.175.142:80 - [instructivodogui.com.ar]
Request: GET /b.htm?heZg4KzGMWwfIcWcP4DsYikrdlb
Response: 404 "Not Found"
From ANUBIS:1079 to 67.222.51.191:80 - [piano-secrets.com]
Request: GET /i.htm?7tEhYb3repxi4DthjGlUdzE1fcHEPHgiz
Response: 404 "Not Found"
Request: GET /i.htm?7tEhYb3repxi4DthjGlUdzE1fcHEPHgiz
Response: 404 "Not Found"
Request: GET /i.htm?7tEhYb3repxi4DthjGlUdzE1fcHEPHgiz
Response: 404 "Not Found"
Request: GET /i.htm?7tEhYb3repxi4DthjGlUdzE1fcHEPHgiz
Response: 404 "Not Found"
Request: GET /i.htm?7tEhYb3repxi4DthjGlUdzE1fcHEPHgiz
Response: 404 "Not Found"
Request: GET /i.htm?7tEhYb3repxi4DthjGlUdzE1fcHEPHgiz
Response: 404 "Not Found"
Request: GET /i.htm?7tEhYb3repxi4DthjGlUdzE1fcHEPHgiz
Response: 404 "Not Found"
Request: GET /i.htm?7tEhYb3repxi4DthjGlUdzE1fcHEPHgiz
Response: 404 "Not Found"
From ANUBIS:1080 to 50.116.103.67:80 - [mytamilmagazine.net]
Request: GET /q.htm?uT5JYibIM7F26CWJMrIHJK7Rjg4s5xD
Response: 404 "Not Found"
Request: GET /q.htm?uT5JYibIM7F26CWJMrIHJK7Rjg4s5xD
Response: 404 "Not Found"
Request: GET /q.htm?uT5JYibIM7F26CWJMrIHJK7Rjg4s5xD
Response: 404 "Not Found"
Request: GET /q.htm?uT5JYibIM7F26CWJMrIHJK7Rjg4s5xD
Response: <no reply>
From ANUBIS:1081 to 82.165.90.252:80 - [thueringen.bdlo.de]
Request: GET /d.htm?zv6KZ1T6WKphAp6nLllJQRXVnOlG9sVc
Response: 404 "Not Found"
From ANUBIS:1082 to 205.186.175.142:80 - [instructivodogui.com.ar]
Request: GET /b.htm?heZg4KzGMWwfIcWcP4DsYikrdlb
Response: 404 "Not Found"
Request: GET /b.htm?heZg4KzGMWwfIcWcP4DsYikrdlb
Response: 404 "Not Found"
From ANUBIS:1083 to 50.116.103.67:80 - [mytamilmagazine.net]
Request: GET /q.htm?uT5JYibIM7F26CWJMrIHJK7Rjg4s5xD
Response: 404 "Not Found"
From ANUBIS:1084 to 82.165.90.252:80 - [thueringen.bdlo.de]
Request: GET /d.htm?zv6KZ1T6WKphAp6nLllJQRXVnOlG9sVc
Response: 404 "Not Found"
From ANUBIS:1085 to 205.186.175.142:80 - [instructivodogui.com.ar]
Request: GET /b.htm?heZg4KzGMWwfIcWcP4DsYikrdlb
Response: 404 "Not Found"
Request: GET /b.htm?heZg4KzGMWwfIcWcP4DsYikrdlb
Response: 404 "Not Found"
Request: GET /b.htm?heZg4KzGMWwfIcWcP4DsYikrdlb
Response: <no reply>
From ANUBIS:1086 to 82.165.90.252:80 - [thueringen.bdlo.de]
Request: GET /d.htm?zv6KZ1T6WKphAp6nLllJQRXVnOlG9sVc
Response: 404 "Not Found"


International Secure Systems Lab
Vienna University of Technology, Eurecom France, UC Santa Barbara
Contact: anubis@iseclab.org