Analysis Report for 48ebcf4c6039afb8b3ad94a92bd83c6f-48ebcf4c6039afb8b3ad94a92bd83c6f-1334028614

Comment on this report

Summary:

Description	Risk
Write to foreign memory areas: This executable tampers with the execution of another process.
Change Windows Firewall settings: This executable changes some settings of windows firewall.
Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary.
Harvest email addresses: This executable harvest email addresses from the system, probably to send SPAM to these addresses or propagate by email.
Autostart capabilities: This executable registers processes to be executed at system start. This could result in unwanted actions to be performed automatically.
Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web.
Execution did not terminate correctly: The executable crashed.
Spawns Processes: The executable produces processes during the execution.
Performs Registry Activities: The executable creates and/or modifies registry entries.

Table of Contents
expand all	collapse all
General information 48ebcf4c60.exe C:\48ebcf4c60.exe Primary Analysis Subject General Information a) Registry Activities b) File Activities c) Process Activities ebexfy.exe C:\Documents and Settings\Administrator\Application Data\Unylto\ebexfy.exe Started by 48ebcf4c60.exe General Information a) Registry Activities b) File Activities c) Process Activities Explorer.EXE C:\WINDOWS\Explorer.EXE ebexfy.exe wrote to the virtual memory of this process General Information a) Registry Activities b) File Activities c) Process Activities d) Network Activities e) Other Activities wscntfy.exe C:\WINDOWS\system32\wscntfy.exe Explorer.EXE wrote to the virtual memory of this process General Information a) Registry Activities b) File Activities ctfmon.exe C:\WINDOWS\system32\ctfmon.exe ebexfy.exe wrote to the virtual memory of this process General Information a) Registry Activities b) File Activities msmsgs.exe C:\Program Files\Messenger\msmsgs.exe ebexfy.exe wrote to the virtual memory of this process General Information a) Registry Activities b) File Activities reader_sl.exe C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe ebexfy.exe wrote to the virtual memory of this process General Information a) Registry Activities b) File Activities lklmxx.exe C:\Program Files\Common Files\lklmxx.exe ebexfy.exe wrote to the virtual memory of this process General Information a) Registry Activities b) File Activities dgwxqncxg.exe C:\Program Files\Common Files\dgwxqncxg.exe ebexfy.exe wrote to the virtual memory of this process General Information a) Registry Activities b) File Activities cmd.exe C:\WINDOWS\system32\cmd.exe Started by 48ebcf4c60.exe General Information a) Registry Activities b) File Activities

1. General Information

	- Information about Anubis' invocation

Time needed:	246 s
Report created:	04/11/12, 05:06:49 UTC
Termination reason:	Timeout
Program version:	1.76.3841

2. 48ebcf4c60.exe

	- General information about this executable

Analysis Reason:	Primary Analysis Subject
Filename:	48ebcf4c60.exe
MD5:	f35a678ac704579cd27fdd487fab314c
SHA-1:	35b5b3a6ee6a485bf08d5b7ebd4bf6ab8f63abff
File Size:	305704 Bytes
Command Line:	"C:\48ebcf4c60.exe"
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\IPHLPAPI.DLL	0x76D60000	0x00019000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\WININET.dll	0x771B0000	0x000AA000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000

2.a) 48ebcf4c60.exe - Registry Activities

	- Registry Keys Created:

HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Qoyxy

	- Registry Values Modified:

Key	Name	New Value
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	AppData	C:\Documents and Settings\Administrator\Application Data
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Local AppData	C:\Documents and Settings\Administrator\Local Settings\Application Data

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion	DigitalProductId	0xa40000000300000037363438372d3634302d313435373233362d32333833	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion	InstallDate	1212451221	1
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\SYSTEM\Setup	SystemSetupInProgress	0	1
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	PC	2
HKLM\System\CurrentControlSet\Control\Terminal Server	TSUserEnabled	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1020	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	13	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	6	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Explorer\Privacy	CleanCookies	0	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Qoyxy	1d7011ec	0x0a7907b1	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	AppData	%USERPROFILE%\Application Data	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Local AppData	%USERPROFILE%\Local Settings\Application Data	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	1609	0	1

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1

2.b) 48ebcf4c60.exe - File Activities

	- Files Deleted:

C:\Documents and Settings\Administrator\Application Data\Unylto\ebexfy.exe

	- Files Created:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp451b1467.bat

C:\Documents and Settings\Administrator\Application Data\Unylto

C:\Documents and Settings\Administrator\Application Data\Unylto\ebexfy.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\kiet.atu

	- Files Read:

C:\48ebcf4c60.exe

PIPE\lsarpc

	- Files Modified:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp451b1467.bat

C:\Documents and Settings\Administrator\Application Data\Unylto\ebexfy.exe

MountPointManager

PIPE\lsarpc

\Device\Ip

\Device\Tcp

	- Directories Created:

C:\Documents and Settings\Administrator\Application Data\Unylto

	- File System Control Communication:

File	Control Code	Times
C:\Program Files\Common Files\	0x00090028	1
PIPE\lsarpc	0x0011C017	8

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	1
\Device\Tcp	0x00120003	6
C:	0x004D0008	2
MountPointManager	0x006D0008	2

	- Memory Mapped Files:

File Name

C:\Documents and Settings\Administrator\Application Data\Unylto\ebexfy.exe

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

C:\WINDOWS\WindowsShell.Manifest

C:\WINDOWS\system32\Apphelp.dll

C:\WINDOWS\system32\IPHLPAPI.DLL

C:\WINDOWS\system32\SHELL32.dll

C:\WINDOWS\system32\WININET.dll

C:\WINDOWS\system32\WS2HELP.dll

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\cmd.exe

C:\Windows\AppPatch\sysmain.sdb

2.c) 48ebcf4c60.exe - Process Activities

	- Processes Created:

Executable	Command Line
C:\Documents and Settings\Administrator\Application Data\Unylto\ebexfy.exe
	"C:\Documents and Settings\Administrator\Application Data\Unylto\ebexfy.exe"
C:\WINDOWS\system32\cmd.exe
	"C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp451b1467.bat"

	- Remote Threads Created:

Affected Process

C:\Documents and Settings\Administrator\Application Data\Unylto\ebexfy.exe

C:\WINDOWS\system32\cmd.exe

	- Foreign Memory Regions Read:

Process: C:\Documents and Settings\Administrator\Application Data\Unylto\ebexfy.exe

Process: C:\WINDOWS\system32\cmd.exe

	- Foreign Memory Regions Written:

Process: C:\Documents and Settings\Administrator\Application Data\Unylto\ebexfy.exe

Process: C:\WINDOWS\system32\cmd.exe

3. ebexfy.exe

	- General information about this executable

Analysis Reason:	Started by 48ebcf4c60.exe
Filename:	ebexfy.exe
Command Line:	"C:\Documents and Settings\Administrator\Application Data\Unylto\ebexfy.exe"
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\IPHLPAPI.DLL	0x76D60000	0x00019000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\WININET.dll	0x771B0000	0x000AA000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000

3.a) ebexfy.exe - Registry Activities

	- Registry Values Modified:

Key	Name	New Value
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Qoyxy	18e7b756	FXlVsdJpsxU=1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	AppData	C:\Documents and Settings\Administrator\Application Data
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Local AppData	C:\Documents and Settings\Administrator\Local Settings\Application Data

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\SYSTEM\Setup	SystemSetupInProgress	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	PC	1
HKLM\System\CurrentControlSet\Control\Terminal Server	TSUserEnabled	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1020	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	13	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	6	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	AppData	%USERPROFILE%\Application Data	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Local AppData	%USERPROFILE%\Local Settings\Application Data	1

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1

3.b) ebexfy.exe - File Activities

	- Files Read:

C:\Documents and Settings\Administrator\Application Data\Unylto\ebexfy.exe

PIPE\lsarpc

	- Files Modified:

MountPointManager

PIPE\lsarpc

\Device\Ip

\Device\Tcp

	- File System Control Communication:

File	Control Code	Times
C:\Documents and Settings\Administrator\Application Data	0x00090028	1
PIPE\lsarpc	0x0011C017	4

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	1
\Device\Tcp	0x00120003	6
C:	0x004D0008	1
MountPointManager	0x006D0008	1

	- Memory Mapped Files:

File Name

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

C:\WINDOWS\WindowsShell.Manifest

C:\WINDOWS\system32\IPHLPAPI.DLL

C:\WINDOWS\system32\SHELL32.dll

C:\WINDOWS\system32\WININET.dll

C:\WINDOWS\system32\WS2HELP.dll

C:\WINDOWS\system32\WS2_32.dll

3.c) ebexfy.exe - Process Activities

	- Remote Threads Created:

Affected Process

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\Program Files\Common Files\lklmxx.exe

C:\Program Files\Common Files\dgwxqncxg.exe

C:\48ebcf4c60.exe

	- Foreign Memory Regions Written:

Process: C:\48ebcf4c60.exe

Process: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

Process: C:\Program Files\Common Files\dgwxqncxg.exe

Process: C:\Program Files\Common Files\lklmxx.exe

Process: C:\Program Files\Messenger\msmsgs.exe

Process: C:\WINDOWS\explorer.exe

Process: C:\WINDOWS\system32\ctfmon.exe

4. Explorer.EXE

	- General information about this executable

Analysis Reason:	ebexfy.exe wrote to the virtual memory of this process
Filename:	Explorer.EXE
Command Line:	C:\WINDOWS\Explorer.EXE
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\BROWSEUI.dll	0x75F80000	0x000FD000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\SHDOCVW.dll	0x7E290000	0x00171000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\CRYPTUI.dll	0x754D0000	0x00080000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\WININET.dll	0x771B0000	0x000AA000
C:\WINDOWS\system32\WINTRUST.dll	0x76C30000	0x0002E000
C:\WINDOWS\system32\IMAGEHLP.dll	0x76C90000	0x00028000
C:\WINDOWS\system32\WLDAP32.dll	0x76F60000	0x0002C000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\appHelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000
C:\WINDOWS\System32\cscui.dll	0x77A20000	0x00054000
C:\WINDOWS\System32\CSCDLL.dll	0x76600000	0x0001D000
C:\WINDOWS\system32\themeui.dll	0x5BA60000	0x00071000
C:\WINDOWS\system32\MSIMG32.dll	0x76380000	0x00005000
C:\WINDOWS\system32\xpsp2res.dll	0x00AC0000	0x002C5000
C:\WINDOWS\system32\actxprxy.dll	0x71D40000	0x0001B000
C:\WINDOWS\system32\msutb.dll	0x5FC10000	0x00033000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\urlmon.dll	0x7E1E0000	0x000A2000
C:\WINDOWS\system32\LINKINFO.dll	0x76980000	0x00008000
C:\WINDOWS\system32\ntshrui.dll	0x76990000	0x00025000
C:\WINDOWS\system32\ATL.DLL	0x76B20000	0x00011000
C:\WINDOWS\system32\rsaenh.dll	0x68000000	0x00036000
C:\WINDOWS\system32\msi.dll	0x7D1E0000	0x002BC000
C:\WINDOWS\system32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\webcheck.dll	0x74B30000	0x00046000
C:\WINDOWS\system32\WSOCK32.dll	0x71AD0000	0x00009000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\stobject.dll	0x76280000	0x00021000
C:\WINDOWS\system32\BatMeter.dll	0x74AF0000	0x0000A000
C:\WINDOWS\system32\POWRPROF.dll	0x74AD0000	0x00008000
C:\WINDOWS\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\WTSAPI32.dll	0x76F50000	0x00008000
C:\WINDOWS\system32\NETSHELL.dll	0x76400000	0x001A5000
C:\WINDOWS\system32\credui.dll	0x76C00000	0x0002E000
C:\WINDOWS\system32\dot3api.dll	0x478C0000	0x0000A000
C:\WINDOWS\system32\rtutils.dll	0x76E80000	0x0000E000
C:\WINDOWS\system32\dot3dlg.dll	0x736D0000	0x00006000
C:\WINDOWS\system32\OneX.DLL	0x5DCA0000	0x00028000
C:\WINDOWS\system32\eappcfg.dll	0x745B0000	0x00022000
C:\WINDOWS\system32\MSVCP60.dll	0x76080000	0x00065000
C:\WINDOWS\system32\eappprxy.dll	0x5DCD0000	0x0000E000
C:\WINDOWS\system32\iphlpapi.dll	0x76D60000	0x00019000
C:\WINDOWS\system32\MPR.dll	0x71B20000	0x00012000
C:\WINDOWS\System32\drprov.dll	0x75F60000	0x00007000
C:\WINDOWS\System32\ntlanman.dll	0x71C10000	0x0000E000
C:\WINDOWS\System32\NETUI0.dll	0x71CD0000	0x00017000
C:\WINDOWS\System32\NETUI1.dll	0x71C90000	0x00040000
C:\WINDOWS\System32\NETRAP.dll	0x71C80000	0x00007000
C:\WINDOWS\System32\SAMLIB.dll	0x71BF0000	0x00013000
C:\WINDOWS\System32\davclnt.dll	0x75F70000	0x0000A000
C:\WINDOWS\system32\comdlg32.dll	0x763B0000	0x00049000
C:\WINDOWS\system32\MSGINA.dll	0x75970000	0x000F8000
C:\WINDOWS\system32\ODBC32.dll	0x74320000	0x0003D000
C:\WINDOWS\system32\odbcint.dll	0x01350000	0x00017000
C:\WINDOWS\system32\browselc.dll	0x71600000	0x00012000
C:\WINDOWS\system32\shdoclc.dll	0x71800000	0x00088000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\hnetcfg.dll	0x662B0000	0x00058000
C:\WINDOWS\system32\mswsock.dll	0x71A50000	0x0003F000
C:\WINDOWS\System32\wshtcpip.dll	0x71A90000	0x00008000
C:\WINDOWS\system32\sensapi.dll	0x722B0000	0x00005000
C:\WINDOWS\system32\MLANG.dll	0x75CF0000	0x00091000
C:\WINDOWS\system32\rasman.dll	0x76E90000	0x00012000
C:\WINDOWS\system32\TAPI32.dll	0x76EB0000	0x0002F000
C:\WINDOWS\system32\RASAPI32.DLL	0x76EE0000	0x0003C000
C:\WINDOWS\system32\DNSAPI.dll	0x76F20000	0x00027000
C:\WINDOWS\system32\rasadhlp.dll	0x76FC0000	0x00006000

4.a) Explorer.EXE - Registry Activities

	- Registry Keys Created:

HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Explorer\Privacy

	- Registry Values Modified:

Key	Name	New Value
HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings	ProxyEnable	0
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	DisableNotifications	1
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List	10088:UDP	10088:UDP:*:Enabled:UDP 10088
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List	19023:TCP	19023:TCP:*:Enabled:TCP 19023
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Common AppData	C:\Documents and Settings\All Users\Application Data
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Explorer\Privacy	CleanCookies	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Qoyxy	151d866h	W3kHsUm75FhH1FdhSR9Zm0+KCK2roEyX6eUKJOP2XamLn4hr1dZEZqwk1JD1jIAZQwa2MUyAXiI=.
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Qoyxy	1d7011ec	S3kHsQ==
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Qoyxy	2d6gic4g	0x335e07b1fc238a1504910535
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Qoyxy	5cbc5j5
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	AppData	C:\Documents and Settings\Administrator\Application Data
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	1609	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	1406	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	1609	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	1609	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	1406	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	1609	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	1406	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	1609	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\Currentversion\Run	{B0F8B226-65CD-AD7D-E811-5333C5ED7021}	"C:\Documents and Settings\Administrator\Application Data\Unylto\ebexfy.exe"
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings	MigrateProxy	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings	ProxyEnable	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	SavedLegacySettings	0x3c0000001600000001000000000000000000000000000000040000000000

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\CLASSES\CLSID\{0CA545C6-37AD-4A6C-BF92-9F7610067EF5}\INPROCSERVER32		C:\WINDOWS\system32\hnetcfg.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{0CA545C6-37AD-4A6C-BF92-9F7610067EF5}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\INPROCSERVER32		C:\WINDOWS\system32\hnetcfg.dll	3
HKLM\SOFTWARE\CLASSES\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\MIME\DATABASE\CONTENT TYPE\TEXT/HTML	Extension	.htm	2
HKLM\SOFTWARE\MICROSOFT\TRACING\NETSHELL	ConsoleTracingMask	4294901760	1
HKLM\SOFTWARE\MICROSOFT\TRACING\NETSHELL	EnableConsoleTracing	0	1
HKLM\SOFTWARE\MICROSOFT\TRACING\NETSHELL	EnableFileTracing	0	1
HKLM\SOFTWARE\MICROSOFT\TRACING\NETSHELL	FileDirectory	%windir%\tracing	2
HKLM\SOFTWARE\MICROSOFT\TRACING\NETSHELL	FileTracingMask	4294901760	1
HKLM\SOFTWARE\MICROSOFT\TRACING\NETSHELL	MaxFileSize	1048576	1
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001	Name	Microsoft Strong Cryptographic Provider	80
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider	Image Path	rsaenh.dll	80
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider	Type	1	20
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	UrlEncoding	0x00000000	2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	.NET CLR 1.1.4322		1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	.NET CLR 2.0.50727		1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	.NET CLR 3.0.04506.30		1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	.NET CLR 3.0.04506.648		1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	.NET CLR 3.5.21022		1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	.NET4.0C		1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	.NET4.0E		1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	SV1		1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\UA Tokens			1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\UA Tokens	MSN 2.0		1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\UA Tokens	MSN 2.5		1
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	DisableNotifications	0	1
HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters	Transports	0x5400630070006900700000004e0065007400420049004f00530000000000	2
HKLM\Software\Microsoft\COM3	REGDBVersion	0x0b00000000000000	8
HKLM\Software\Microsoft\Cryptography	MachineGuid	4604e8cc-5b9c-4ffb-a374-a62e6d0494fc	80
HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING	Explorer.EXE	1	1
HKLM\Software\Microsoft\Tracing\RASAPI32	ConsoleTracingMask	4294901760	2
HKLM\Software\Microsoft\Tracing\RASAPI32	EnableConsoleTracing	0	2
HKLM\Software\Microsoft\Tracing\RASAPI32	EnableFileTracing	0	2
HKLM\Software\Microsoft\Tracing\RASAPI32	FileDirectory	%windir%\tracing	4
HKLM\Software\Microsoft\Tracing\RASAPI32	FileTracingMask	4294901760	2
HKLM\Software\Microsoft\Tracing\RASAPI32	MaxFileSize	1048576	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	AllUsersProfile	All Users	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	DefaultUserProfile	Default User	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	ProfilesDirectory	%SystemDrive%\Documents and Settings	4
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-842925246-1425521274-308236825-500	ProfileImagePath	%SystemDrive%\Documents and Settings\Administrator	2
HKLM\Software\Microsoft\Windows\CurrentVersion	CommonFilesDir	C:\Program Files\Common Files	2
HKLM\Software\Microsoft\Windows\CurrentVersion	ProgramFilesDir	C:\Program Files	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Common AppData	%ALLUSERSPROFILE%\Application Data	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	PC	2
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	ComSpec	%SystemRoot%\system32\cmd.exe	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	FP_NO_HOST_CHECK	NO	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	NUMBER_OF_PROCESSORS	1	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	OS	Windows_NT	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_ARCHITECTURE	x86	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_IDENTIFIER	x86 Family 6 Model 3 Stepping 3, GenuineIntel	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_LEVEL	6	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_REVISION	0303	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	Path	%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	TEMP	%SystemRoot%\TEMP	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	TMP	%SystemRoot%\TEMP	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	windir	%SystemRoot%	4
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Domain		2
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Hostname	pc	2
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	UseDomainNameDevolution	0	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	HelperDllName	%SystemRoot%\System32\wshtcpip.dll	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	Mapping	0x0b0000000300000002000000010000000600000002000000010000000000	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MaxSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MinSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	UseDelayedAcceptance	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	3
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1020	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	13	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	6	3
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\Setup	SystemSetupInProgress	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Environment	TEMP	%USERPROFILE%\Local Settings\Temp	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Environment	TMP	%USERPROFILE%\Local Settings\Temp	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS	EnableNegotiate	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS	MimeExclusionListForCache	multipart/mixed multipart/x-mixed-replace multipart/x-byteranges	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS	WarnOnPost	0x01000000	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EnableHttp1_1	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	User Agent	Mozilla/4.0 (compatible; MSIE 6.0; Win32)	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Qoyxy	151d866h	W3kHsUm75FhH1FdhSR9Zm0+KCK2roEyX6eUKJOP2XamLn4hr1dZEZqwk1JD1jIAZQwa2MUyAXiK5hGpadgUWHxhBShGWpPWgBfXKuHd/Jkk7JGvt7PbLefKvuFlD5RJ1qyg7bSUikEC6SFLj87+GTQ==	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Qoyxy	5cbc5j5	W3kHsbNpihUEoQQ1Z08V0FntOFj2jDFUmrWD5cbbkywfM5Q2ZFY3XJwk1JD1jIAZQwa2MUyAXiK5hGo3n6Ann5tk/C7EdliTePJ4ttTUlzAie8HfU2wiqGfE0Zexto95yJAYgH+G018bmJ+KVzf46BJa+tETJ2qSBuUdiccEFAJucePVCffG5YnAAAn6Y9rt7pdgQ89IvJ/mL8POTO7PUQmZrt/nHz5xyXmvncZmK45iYhi4YAUzpaIPDNCXteZ9hLLpWRdxh6LGPGkTpXs25TN2lmo+XGaB+aKrcJTjaqf5L5Om7xrwcGSrA8JHtlgF7Gvni77Qhfmtw+tuzN6cZb2/PRrCDmaPE0IQfpbUri5NI15G82fEkD+E3iu3ihIH2S8nllROTvmcNZU79dHVfyFgCo7s6fKCzog9zFXtMME+qMvClGy8Xs1qGSK1WRWN1E6HOOlCiw0tS0awVoNhru8YqyHQplVg09zyT8sGOdHFgRDtSt/DW5slfdrVyVp26L7ILQf9jR2+fiLtyOfwspSzegW7uQ7aMr/8DWcbK/7KCHlLAdn7HKF+HWM3PTIiNazk9sSDwWpF4X5U6YugfF/TjpbEW+AuDA3gxBQVhRF7ze0o0nOKwTkk/g==	7
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows NT\CurrentVersion\Winlogon	ParseAutoexec	1	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	AppData	%USERPROFILE%\Application Data	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IntranetName	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ProxyBypass	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	http	3	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	1609	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	1406	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	1609	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	1609	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	1406	3	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	1609	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	2101	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	1406	3	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	1609	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings	MigrateProxy	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings	ProxyEnable	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	DefaultConnectionSettings	0x3c0000000300000001000000000000000000000000000000040000000000	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	SavedLegacySettings	0x3c0000001500000001000000000000000000000000000000040000000000	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	APPDATA	C:\Documents and Settings\Administrator\Application Data	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	CLIENTNAME	Console	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	HOMEDRIVE	C:	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	HOMEPATH	\Documents and Settings\Administrator	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	HOMESHARE		4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	LOGONSERVER	\\PC	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	SESSIONNAME	Console	4

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\SOFTWARE\MICROSOFT\TRACING\NETSHELL	0	Attributes Change,Value Change,Security Descriptor Change	1
HKLM\Software\Microsoft\Tracing\RASAPI32	0	Attributes Change,Value Change,Security Descriptor Change	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	2
HKU	1	Key Change,Value Change	2

4.b) Explorer.EXE - File Activities

	- Files Deleted:

C:\Documents and Settings\Administrator\Cookies\administrator@adobe[1].txt

C:\Documents and Settings\Administrator\Cookies\administrator@google[1].txt

C:\Documents and Settings\Administrator\Cookies\administrator@java[1].txt

C:\Documents and Settings\Administrator\Cookies\administrator@promotion.adobe[1].txt

C:\Documents and Settings\Administrator\Cookies\administrator@sun[1].txt

C:\Documents and Settings\Administrator\Cookies\administrator@walkernews[1].txt

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\google[1].htm

	- Files Created:

C:\Documents and Settings\Administrator\Local Settings\Application Data\kiet.atu

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\google[1].htm

	- Files Read:

C:\Documents and Settings\Administrator\Cookies\administrator@adobe[1].txt

C:\Documents and Settings\Administrator\Cookies\administrator@google[1].txt

C:\Documents and Settings\Administrator\Cookies\administrator@java[1].txt

C:\Documents and Settings\Administrator\Cookies\administrator@promotion.adobe[1].txt

C:\Documents and Settings\Administrator\Cookies\administrator@sun[1].txt

C:\Documents and Settings\Administrator\Cookies\administrator@walkernews[1].txt

PIPE\lsarpc

c:\autoexec.bat

	- Files Modified:

C:\Documents and Settings\Administrator\Local Settings\Application Data\kiet.atu

PIPE\lsarpc

\Device\Afd\AsyncConnectHlp

\Device\Afd\Endpoint

\Device\RasAcd

	- File System Control Communication:

File	Control Code	Times
C:\lsarpc, Flags: Named pipe	0x0011C017	7
PIPE\lsarpc	0x0011C017	13

	- Device Control Communication:

File	Control Code	Times
unnamed file	0x00228144	1
\Device\Afd\Endpoint	AFD_GET_INFO (0x0001207B)	2
\Device\Afd\Endpoint	AFD_SET_CONTEXT (0x00012047)	29
\Device\Afd\Endpoint	AFD_GET_TDI_HANDLES (0x00012037)	17
\Device\Afd\Endpoint	AFD_SET_INFO (0x0001203B)	11
\Device\Afd\Endpoint	AFD_EVENT_SELECT (0x00012087)	11
\Device\Afd\Endpoint	AFD_BIND (0x00012003)	7
\Device\Afd\Endpoint	AFD_GET_SOCK_NAME (0x0001202F)	6
\Device\Afd\Endpoint	AFD_START_LISTEN (0x0001200B)	1
\Device\Afd\Endpoint	AFD_SEND_DATAGRAM (0x00012023)	12
\Device\Afd\Endpoint	AFD_ENUM_NETWORK_EVENTS (0x0001208B)	9
\Device\Afd\Endpoint	AFD_RECV_DATAGRAM (0x0001201B)	8
\Device\Afd\AsyncConnectHlp	AFD_CONNECT (0x00012007)	3
\Device\Afd\Endpoint	AFD_CONNECT (0x00012007)	2
unnamed file	0x00120028	2
\Device\Afd\Endpoint	AFD_SEND (0x0001201F)	2
\Device\Afd\Endpoint	AFD_RECV (0x00012017)	2

	- Memory Mapped Files:

File Name

C:\WINDOWS\System32\wshtcpip.dll

C:\WINDOWS\system32\DNSAPI.dll

C:\WINDOWS\system32\MLANG.dll

C:\WINDOWS\system32\RASAPI32.DLL

C:\WINDOWS\system32\TAPI32.dll

C:\WINDOWS\system32\hnetcfg.dll

C:\WINDOWS\system32\mswsock.dll

C:\WINDOWS\system32\rasadhlp.dll

C:\WINDOWS\system32\rasman.dll

C:\WINDOWS\system32\sensapi.dll

4.c) Explorer.EXE - Process Activities

	- Remote Threads Created:

Affected Process

C:\WINDOWS\system32\wscntfy.exe

	- Foreign Memory Regions Written:

Process: C:\WINDOWS\system32\wscntfy.exe

4.d) Explorer.EXE - Network Activity

	- DNS Queries:

Name	Query Type	Query Result	Successful	Protocol
www.google.com	DNS_TYPE_A	173.194.35.145 173.194.35.146 173.194.35.147 173.194.35.148 173.194.35.144	YES	udp
www.google.de	DNS_TYPE_A	173.194.35.151 173.194.35.152 173.194.35.159	YES	udp

	- Opened Listening Ports:

Port	Type
19023	tcp

	- HTTP Conversations:

From ANUBIS:1030 to 173.194.35.145:80 - [www.google.com]
Request: GET /
Response: 302 "Found"
From ANUBIS:1031 to 173.194.35.151:80 - [www.google.de]
Request: GET /
Response: 200 "OK"

	- Unknown UDP Traffic:

from ANUBIS:10088 to 124.11.83.117:18725

State: Normal establishment and termination - Transferred outbound Bytes: 304 - Transferred inbound Bytes: 2268

from ANUBIS:10088 to 195.164.49.134:12345

State: Normal establishment and termination - Transferred outbound Bytes: 837 - Transferred inbound Bytes: 566

	- TCP Connection Attempts:

from ANUBIS:1028 to 195.164.49.134:22222

from ANUBIS:1029 to 93.177.128.115:12346

from ANUBIS:1032 to 93.177.128.115:12346

4.e) Explorer.EXE - Other Activities

	- Mutexes Created:

Global\{2352FD09-2AE2-3ED7-05EB-B06D2817937F}

Global\{2352FD09-2AE2-3ED7-15E9-B06D3815937F}

Global\{2352FD09-2AE2-3ED7-15EE-B06D3812937F}

Global\{2352FD09-2AE2-3ED7-1DEA-B06D3016937F}

Global\{2352FD09-2AE2-3ED7-29E9-B06D0415937F}

Global\{2352FD09-2AE2-3ED7-2DE8-B06D0014937F}

Global\{2352FD09-2AE2-3ED7-55EB-B06D7817937F}

Global\{2352FD09-2AE2-3ED7-61EB-B06D4C17937F}

Global\{2352FD09-2AE2-3ED7-7DE8-B06D5014937F}

Global\{2352FD09-2AE2-3ED7-7DEB-B06D5017937F}

Global\{2352FD09-2AE2-3ED7-85EB-B06DA817937F}

Global\{2352FD09-2AE2-3ED7-89E9-B06DA415937F}

Global\{2352FD09-2AE2-3ED7-89EB-B06DA417937F}

Global\{2352FD09-2AE2-3ED7-89EE-B06DA412937F}

Global\{2352FD09-2AE2-3ED7-8DEF-B06DA013937F}

Global\{2352FD09-2AE2-3ED7-ADEE-B06D8012937F}

Global\{2352FD09-2AE2-3ED7-B1E8-B06D9C14937F}

Global\{2352FD09-2AE2-3ED7-B1EE-B06D9C12937F}

Global\{2352FD09-2AE2-3ED7-B5EC-B06D9810937F}

Global\{2352FD09-2AE2-3ED7-B9EE-B06D9412937F}

Global\{2352FD09-2AE2-3ED7-C1EC-B06DEC10937F}

Global\{2352FD09-2AE2-3ED7-C9EC-B06DE410937F}

Global\{2352FD09-2AE2-3ED7-FDEC-B06DD010937F}

Global\{370A7811-AFFA-2A8F-E811-5333C5ED7021}

Global\{370A7816-AFFD-2A8F-E811-5333C5ED7021}

Global\{3BE6AF24-78CF-2663-E811-5333C5ED7021}

Global\{5D329B3C-4CD7-40B7-E811-5333C5ED7021}

Global\{C84914F5-C31E-D5CC-E811-5333C5ED7021}

Global\{EDE09917-4EFC-F065-E811-5333C5ED7021}

Local\{56ECCE04-19EF-4B69-E811-5333C5ED7021}

Local\{56ECCE05-19EE-4B69-E811-5333C5ED7021}

	- Keyboard Keys Monitored:

Virtual Key Code	Times
VK_LBUTTON (1)	230

5. ctfmon.exe

	- General information about this executable

Analysis Reason:	ebexfy.exe wrote to the virtual memory of this process
Filename:	ctfmon.exe
Command Line:	"C:\WINDOWS\system32\ctfmon.exe"
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\MSUTB.dll	0x5FC10000	0x00033000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\IPHLPAPI.DLL	0x76D60000	0x00019000
C:\WINDOWS\system32\WININET.dll	0x771B0000	0x000AA000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000

5.a) ctfmon.exe - Registry Activities

	- Registry Values Modified:

Key	Name	New Value
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Qoyxy	1d7011ec	SnkHsQ==

	- Registry Values Read:

Key	Name	Value	Times
HKLM\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16	Dll	cryptnet.dll	1
HKLM\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16	FuncName	LdapProvOpenStore	1
HKLM\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap	Dll	cryptnet.dll	1
HKLM\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap	FuncName	LdapProvOpenStore	1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	AllUsersProfile	All Users	1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	DefaultUserProfile	Default User	1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	ProfilesDirectory	%SystemDrive%\Documents and Settings	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-842925246-1425521274-308236825-500	ProfileImagePath	%SystemDrive%\Documents and Settings\Administrator	1
HKLM\Software\Microsoft\Windows\CurrentVersion	CommonFilesDir	C:\Program Files\Common Files	1
HKLM\Software\Microsoft\Windows\CurrentVersion	ProgramFilesDir	C:\Program Files	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	PC	2
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	ComSpec	%SystemRoot%\system32\cmd.exe	2
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	FP_NO_HOST_CHECK	NO	2
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	NUMBER_OF_PROCESSORS	1	2
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	OS	Windows_NT	2
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH	2
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_ARCHITECTURE	x86	2
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_IDENTIFIER	x86 Family 6 Model 3 Stepping 3, GenuineIntel	2
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_LEVEL	6	2
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_REVISION	0303	2
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	Path	%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem	2
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	TEMP	%SystemRoot%\TEMP	2
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	TMP	%SystemRoot%\TEMP	2
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	windir	%SystemRoot%	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1020	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	13	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	6	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Environment	TEMP	%USERPROFILE%\Local Settings\Temp	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Environment	TMP	%USERPROFILE%\Local Settings\Temp	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Explorer\Privacy	CleanCookies	0	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Qoyxy	1d7011ec		2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows NT\CurrentVersion\Winlogon	ParseAutoexec	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	AppData	%USERPROFILE%\Application Data	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	APPDATA	C:\Documents and Settings\Administrator\Application Data	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	CLIENTNAME	Console	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	HOMEDRIVE	C:	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	HOMEPATH	\Documents and Settings\Administrator	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	HOMESHARE		2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	LOGONSERVER	\\PC	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	SESSIONNAME	Console	2

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1

5.b) ctfmon.exe - File Activities

	- Files Read:

PIPE\lsarpc

c:\autoexec.bat

	- Files Modified:

PIPE\lsarpc

\Device\Ip

\Device\Tcp

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	5

	- Device Control Communication:

File	Control Code	Times
\Device\Tcp	0x00120003	6

	- Memory Mapped Files:

File Name

C:\WINDOWS\system32\IPHLPAPI.DLL

C:\WINDOWS\system32\WININET.dll

C:\WINDOWS\system32\WS2HELP.dll

C:\WINDOWS\system32\WS2_32.dll

6. msmsgs.exe

	- General information about this executable

Analysis Reason:	ebexfy.exe wrote to the virtual memory of this process
Filename:	msmsgs.exe
Command Line:	"C:\Program Files\Messenger\msmsgs.exe" /background
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\WSOCK32.dll	0x71AD0000	0x00009000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\comdlg32.dll	0x763B0000	0x00049000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\gdiplus.dll	0x4EC50000	0x001A6000
C:\WINDOWS\system32\MSIMG32.dll	0x76380000	0x00005000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\WININET.dll	0x771B0000	0x000AA000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\cryptdll.dll	0x76790000	0x0000C000
C:\WINDOWS\system32\iphlpapi.dll	0x76D60000	0x00019000
C:\WINDOWS\system32\XPOB2RES.DLL	0x10000000	0x0006C000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000
C:\WINDOWS\system32\xpsp2res.dll	0x00890000	0x002C5000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\SXS.DLL	0x7E720000	0x000B0000
C:\WINDOWS\system32\es.dll	0x77710000	0x00042000
C:\WINDOWS\system32\wtsapi32.dll	0x76F50000	0x00008000
C:\WINDOWS\system32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\credui.dll	0x76C00000	0x0002E000

	- Run-time Dlls

Module Name	Base Address	Size
C:\Program Files\Common Files\System\wab32res.dll	0x35F40000	0x0003F000
C:\Program Files\Common Files\System\wab32.dll	0x470D0000	0x00081000
C:\WINDOWS\system32\msident.dll	0x608A0000	0x0000F000
C:\WINDOWS\system32\rsaenh.dll	0x68000000	0x00036000
C:\WINDOWS\system32\msoeacct.dll	0x68810000	0x00042000
C:\WINDOWS\system32\acctres.dll	0x71780000	0x00012000
C:\WINDOWS\system32\MSOERT2.dll	0x76880000	0x00022000

6.a) msmsgs.exe - Registry Activities

	- Registry Values Modified:

Key	Name	New Value
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager	Server ID	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\WAB\WAB4	FirstRun	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\WAB\WAB4	OlkContactRefresh	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\WAB\WAB4	OlkFolderRefresh	0

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\CLASSES\CLSID\{00020420-0000-0000-C000-000000000046}\INPROCSERVER32		oleaut32.dll	2
HKLM\SOFTWARE\CLASSES\CLSID\{00020420-0000-0000-C000-000000000046}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\CLSID\{00020424-0000-0000-C000-000000000046}\INPROCSERVER32		oleaut32.dll	3
HKLM\SOFTWARE\CLASSES\CLSID\{00020424-0000-0000-C000-000000000046}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\CLSID\{8D4B04E1-1331-11D0-81B8-00C04FD85AB4}\INPROCSERVER32		%SystemRoot%\system32\msoeacct.dll	2
HKLM\SOFTWARE\CLASSES\CLSID\{8D4B04E1-1331-11D0-81B8-00C04FD85AB4}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\CLSID\{A9AE6C91-1D1B-11D2-B21A-00C04FA357FA}\INPROCSERVER32		C:\WINDOWS\system32\msident.dll	2
HKLM\SOFTWARE\CLASSES\CLSID\{A9AE6C91-1D1B-11D2-B21A-00C04FA357FA}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{00020400-0000-0000-C000-000000000046}\PROXYSTUBCLSID32		{00020420-0000-0000-C000-000000000046}	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{D597BAB1-5B9F-11D1-8DD2-00AA004ABD5E}\PROXYSTUBCLSID32		{00020424-0000-0000-C000-000000000046}	3
HKLM\SOFTWARE\CLASSES\INTERFACE\{D597BAB1-5B9F-11D1-8DD2-00AA004ABD5E}\TYPELIB		{D597DEED-5B9F-11D1-8DD2-00AA004ABD5E}	2
HKLM\SOFTWARE\CLASSES\INTERFACE\{D597BAB1-5B9F-11D1-8DD2-00AA004ABD5E}\TYPELIB	Version	2.0	2
HKLM\SOFTWARE\CLASSES\TYPELIB\{00020430-0000-0000-C000-000000000046}\2.0\0\WIN32		C:\WINDOWS\system32\stdole2.tlb	1
HKLM\SOFTWARE\CLASSES\TYPELIB\{D597DEED-5B9F-11D1-8DD2-00AA004ABD5E}\2.0\0\WIN32		C:\WINDOWS\system32\SENS.DLL	2
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001	Name	Microsoft Strong Cryptographic Provider	4
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider	Image Path	rsaenh.dll	4
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider	Type	1	1
HKLM\SOFTWARE\Microsoft\WAB\DLLPath		C:\Program Files\Common Files\System\wab32.dll	1
HKLM\Software\Microsoft\COM3	REGDBVersion	0x0b00000000000000	18
HKLM\Software\Microsoft\Cryptography	MachineGuid	4604e8cc-5b9c-4ffb-a374-a62e6d0494fc	4
HKLM\Software\Microsoft\Internet Account Manager\Preconfigured	PreConfigVer	4	1
HKLM\Software\Microsoft\Internet Account Manager\Preconfigured	PreConfigVerNTDS	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1020	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	13	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	6	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\MESSENGERSERVICE	MSNState	0x01000000	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager	Default LDAP Account	Active Directory GC	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager	Default Mail Account	00000001	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts	PreConfigVer	4	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts	PreConfigVerNTDS	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	Account Name	pop.rambo.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	Connection Type	3	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	POP3 Prompt for Password	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	POP3 Server	pop.rambo.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	POP3 Skip Account	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	POP3 Use Sicily	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	POP3 User Name	john.ramo	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	SMTP Display Name	John Walker	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	SMTP Email Address	john.ramo@seclab.tuwien.ac.at	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	SMTP Server	seclab.tuwien.ac.at	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	Account Name	Active Directory	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Authentication	2	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Bind DN	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Port	3268	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Resolve Flag	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Search Base	NULL	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Search Return	100	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Secure Connection	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Server	NULL	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Server ID	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Simple Search	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Timeout	60	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP User Name	NULL	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	Account Name	Bigfoot Internet Directory Service	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Authentication	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Logo	%ProgramFiles%\Common Files\Services\bigfoot.bmp	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Search Return	100	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Server	ldap.bigfoot.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Server ID	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Simple Search	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Timeout	60	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP URL	http://www.bigfoot.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	Account Name	VeriSign Internet Directory Service	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Authentication	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Logo	%ProgramFiles%\Common Files\Services\verisign.bmp	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Search Base	NULL	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Search Return	100	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Server	directory.verisign.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Server ID	2	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Simple Search	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Timeout	60	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP URL	http://www.verisign.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	Account Name	WhoWhere Internet Directory Service	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Authentication	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Logo	%ProgramFiles%\Common Files\Services\whowhere.bmp	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Search Return	100	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Server	ldap.whowhere.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Server ID	3	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Simple Search	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Timeout	60	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP URL	http://www.whowhere.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Explorer\Privacy	CleanCookies	0	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Qoyxy	1d7011ec		2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\WAB\WAB4	OlkContactRefresh	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\WAB\WAB4	OlkFolderRefresh	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\WAB\WAB4\Wab File Name		C:\Documents and Settings\Administrator\Application Data\Microsoft\Address Book\Administrator.wab	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	AppData	C:\Documents and Settings\Administrator\Application Data	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	1609	0	1

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1
HKU	1	Key Change,Value Change	5

6.b) msmsgs.exe - File Activities

	- Files Read:

C:\Documents and Settings\Administrator\Application Data\Microsoft\Address Book\Administrator.wab

C:\Documents and Settings\Administrator\Local Settings\Application Data\kiet.atu

C:\WINDOWS\system32\SENS.DLL

C:\WINDOWS\system32\rsaenh.dll

C:\WINDOWS\system32\stdole2.tlb

PIPE\lsarpc

	- Files Modified:

C:\Documents and Settings\Administrator\Local Settings\Application Data\kiet.atu

PIPE\lsarpc

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	5

	- Memory Mapped Files:

File Name

C:\Program Files\Common Files\System\wab32.dll

C:\Program Files\Common Files\System\wab32res.dll

C:\WINDOWS\WindowsShell.Manifest

C:\WINDOWS\system32\MSOERT2.dll

C:\WINDOWS\system32\SENS.DLL

C:\WINDOWS\system32\acctres.dll

C:\WINDOWS\system32\msident.dll

C:\WINDOWS\system32\msoeacct.dll

C:\WINDOWS\system32\rsaenh.dll

C:\WINDOWS\system32\stdole2.tlb

	- Directories Monitored:

Directory	Watch subtree	Notify Filter	Count
C:\Documents and Settings\Administrator\Application Data\Microsoft\Address Book	0	Last Write Change	1

7. reader_sl.exe

	- General information about this executable

Analysis Reason:	ebexfy.exe wrote to the virtual memory of this process
Filename:	reader_sl.exe
Command Line:	"C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCP80.dll	0x7C420000	0x00087000
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll	0x78130000	0x0009B000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000

	- Run-time Dlls

Module Name	Base Address	Size
C:\Program Files\Common Files\System\wab32res.dll	0x35F40000	0x0003F000
C:\Program Files\Common Files\System\wab32.dll	0x470D0000	0x00081000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\msident.dll	0x608A0000	0x0000F000
C:\WINDOWS\system32\rsaenh.dll	0x68000000	0x00036000
C:\WINDOWS\system32\msoeacct.dll	0x68810000	0x00042000
C:\WINDOWS\system32\acctres.dll	0x71780000	0x00012000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\MSOERT2.dll	0x76880000	0x00022000
C:\WINDOWS\system32\IPHLPAPI.DLL	0x76D60000	0x00019000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\WININET.dll	0x771B0000	0x000AA000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000

7.a) reader_sl.exe - Registry Activities

	- Registry Values Modified:

Key	Name	New Value
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager	Server ID	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1094da8-30a0-11dd-817b-806d6172696f}\	BaseClass	Drive
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1094daa-30a0-11dd-817b-806d6172696f}\	BaseClass	Drive
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	AppData	C:\Documents and Settings\Administrator\Application Data

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\Adobe\Acrobat Reader\8.0\InstallPath		C:\Program Files\Adobe\Reader 8.0\Reader	4
HKLM\SOFTWARE\CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\INPROCSERVER32		%SystemRoot%\system32\SHELL32.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{8D4B04E1-1331-11D0-81B8-00C04FD85AB4}\INPROCSERVER32		%SystemRoot%\system32\msoeacct.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{8D4B04E1-1331-11D0-81B8-00C04FD85AB4}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\CLSID\{A9AE6C91-1D1B-11D2-B21A-00C04FA357FA}\INPROCSERVER32		C:\WINDOWS\system32\msident.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{A9AE6C91-1D1B-11D2-B21A-00C04FA357FA}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\DIRECTORY	AlwaysShowExt		1
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001	Name	Microsoft Strong Cryptographic Provider	4
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider	Image Path	rsaenh.dll	4
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider	Type	1	1
HKLM\SOFTWARE\Microsoft\WAB\DLLPath		C:\Program Files\Common Files\System\wab32.dll	1
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\SYSTEM\Setup	OsLoaderPath	\	2
HKLM\SYSTEM\Setup	SystemPartition	\Device\HarddiskVolume1	2
HKLM\Software\Microsoft\COM3	Com+Enabled	1	2
HKLM\Software\Microsoft\COM3	REGDBVersion	0x0b00000000000000	4
HKLM\Software\Microsoft\Cryptography	MachineGuid	4604e8cc-5b9c-4ffb-a374-a62e6d0494fc	4
HKLM\Software\Microsoft\Internet Account Manager\Preconfigured	PreConfigVer	4	1
HKLM\Software\Microsoft\Internet Account Manager\Preconfigured	PreConfigVerNTDS	1	1
HKLM\Software\Microsoft\Windows\CurrentVersion	DevicePath	%SystemRoot%\inf	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	DriverCachePath	%SystemRoot%\Driver Cache	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	LogLevel	0	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	ServicePackCachePath	c:\windows\ServicePackFiles\ServicePackCache	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	ServicePackSourcePath	D:\	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	SourcePath	D:\	2
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	PC	2
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Domain		1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Hostname	pc	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1020	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	13	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	6	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\Setup	SystemSetupInProgress	0	1
HKLM\System\WPA\PnP	seed	1274198464	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager	Default LDAP Account	Active Directory GC	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager	Default Mail Account	00000001	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts	PreConfigVer	4	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts	PreConfigVerNTDS	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	Account Name	pop.rambo.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	Connection Type	3	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	POP3 Prompt for Password	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	POP3 Server	pop.rambo.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	POP3 Skip Account	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	POP3 Use Sicily	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	POP3 User Name	john.ramo	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	SMTP Display Name	John Walker	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	SMTP Email Address	john.ramo@seclab.tuwien.ac.at	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	SMTP Server	seclab.tuwien.ac.at	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	Account Name	Active Directory	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Authentication	2	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Bind DN	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Port	3268	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Resolve Flag	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Search Base	NULL	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Search Return	100	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Secure Connection	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Server	NULL	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Server ID	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Simple Search	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Timeout	60	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP User Name	NULL	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	Account Name	Bigfoot Internet Directory Service	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Authentication	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Logo	%ProgramFiles%\Common Files\Services\bigfoot.bmp	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Search Return	100	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Server	ldap.bigfoot.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Server ID	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Simple Search	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Timeout	60	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP URL	http://www.bigfoot.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	Account Name	VeriSign Internet Directory Service	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Authentication	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Logo	%ProgramFiles%\Common Files\Services\verisign.bmp	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Search Base	NULL	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Search Return	100	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Server	directory.verisign.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Server ID	2	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Simple Search	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Timeout	60	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP URL	http://www.verisign.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	Account Name	WhoWhere Internet Directory Service	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Authentication	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Logo	%ProgramFiles%\Common Files\Services\whowhere.bmp	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Search Return	100	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Server	ldap.whowhere.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Server ID	3	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Simple Search	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Timeout	60	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP URL	http://www.whowhere.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Explorer\Privacy	CleanCookies	0	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Qoyxy	1d7011ec		2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\WAB\WAB4	FirstRun	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\WAB\WAB4	OlkContactRefresh	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\WAB\WAB4	OlkFolderRefresh	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\WAB\WAB4\Wab File Name		C:\Documents and Settings\Administrator\Application Data\Microsoft\Address Book\Administrator.wab	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\	ShellState	0x2400000038080000000000000000000000000000010000000d0000000000	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	DontPrettyPath	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Filter	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Hidden	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	HideFileExt	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	HideIcons	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	MapNetDrvBtn	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	NoNetCrawling	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	SeparateProcess	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowCompColor	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowInfoTip	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowSuperHidden	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	WebView	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094da8-30a0-11dd-817b-806d6172696f}\	Data	0x000000005c005c003f005c0049004400450023004300640052006f006d00	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094da8-30a0-11dd-817b-806d6172696f}\	Generation	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094daa-30a0-11dd-817b-806d6172696f}\	Data	0x000000005c005c003f005c00530054004f00520041004700450023005600	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094daa-30a0-11dd-817b-806d6172696f}\	Generation	1	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	AppData	%USERPROFILE%\Application Data	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	1609	0	1

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\Software\Classes	1	Key Change,Value Change	3
HKLM\Software\Classes\CLSID	1	Key Change,Value Change	2
HKLM\Software\Microsoft\COM3	1	Key Change,Value Change	6
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1
HKU	1	Key Change,Value Change	3

7.b) reader_sl.exe - File Activities

	- Files Read:

C:\Documents and Settings\Administrator\Application Data\Microsoft\Address Book\Administrator.wab

C:\Documents and Settings\Administrator\Application Data\desktop.ini

C:\Documents and Settings\Administrator\Local Settings\Application Data\kiet.atu

C:\WINDOWS\Registration\R00000000000b.clb

C:\WINDOWS\system32\rsaenh.dll

PIPE\lsarpc

	- Files Modified:

C:\Documents and Settings\Administrator\Local Settings\Application Data\kiet.atu

MountPointManager

PIPE\lsarpc

\Device\Ip

\Device\Tcp

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	10

	- Device Control Communication:

File	Control Code	Times
\Device\Tcp	0x00120003	6
IDE#CdRomQEMU_QEMU_CD-ROM________________________0.9.____#4d51303030302033202020202020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	0x004D0008	1
MountPointManager	0x006D0008	2
STORAGE#Volume#1&30a96598&0&SignatureB15FB15FOffset7E00Length13F291800#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	0x004D0008	1
MountPointManager	0x006D0034	4

	- Memory Mapped Files:

File Name

C:\Program Files\Common Files\System\wab32.dll

C:\Program Files\Common Files\System\wab32res.dll

C:\WINDOWS\WindowsShell.Manifest

C:\WINDOWS\system32\CLBCATQ.DLL

C:\WINDOWS\system32\COMRes.dll

C:\WINDOWS\system32\IPHLPAPI.DLL

C:\WINDOWS\system32\MSOERT2.dll

C:\WINDOWS\system32\SETUPAPI.dll

C:\WINDOWS\system32\WININET.dll

C:\WINDOWS\system32\WS2HELP.dll

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\acctres.dll

C:\WINDOWS\system32\msident.dll

C:\WINDOWS\system32\msoeacct.dll

C:\WINDOWS\system32\rpcss.dll

C:\WINDOWS\system32\rsaenh.dll

	- Directories Monitored:

Directory	Watch subtree	Notify Filter	Count
C:\Documents and Settings\Administrator\Application Data\Microsoft\Address Book	0	Last Write Change	1

8. wscntfy.exe

	- General information about this executable

Analysis Reason:	Explorer.EXE wrote to the virtual memory of this process
Filename:	wscntfy.exe
Command Line:	C:\WINDOWS\system32\wscntfy.exe
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\xpsp2res.dll	0x007C0000	0x002C5000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\IPHLPAPI.DLL	0x76D60000	0x00019000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\WININET.dll	0x771B0000	0x000AA000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000

8.a) wscntfy.exe - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	PC	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1020	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	13	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	6	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Explorer\Privacy	CleanCookies	0	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Qoyxy	1d7011ec	0x0a7907b1	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	1609	0	1

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1

8.b) wscntfy.exe - File Activities

	- Files Read:

PIPE\lsarpc

	- Files Modified:

PIPE\lsarpc

\Device\Ip

\Device\Tcp

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	4

	- Device Control Communication:

File	Control Code	Times
\Device\Tcp	0x00120003	6

	- Memory Mapped Files:

File Name

C:\WINDOWS\system32\IPHLPAPI.DLL

C:\WINDOWS\system32\WININET.dll

C:\WINDOWS\system32\WS2HELP.dll

C:\WINDOWS\system32\WS2_32.dll

9. lklmxx.exe

	- General information about this executable

Analysis Reason:	ebexfy.exe wrote to the virtual memory of this process
Filename:	lklmxx.exe
Command Line:	"C:\Program Files\Common Files\lklmxx.exe"
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\comdlg32.dll	0x763B0000	0x00049000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\MPR.dll	0x71B20000	0x00012000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\WSOCK32.dll	0x71AD0000	0x00009000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\uxtheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\rsaenh.dll	0x68000000	0x00036000
C:\WINDOWS\system32\msoeacct.dll	0x68810000	0x00042000
C:\WINDOWS\system32\acctres.dll	0x71780000	0x00012000
C:\WINDOWS\system32\MSOERT2.dll	0x76880000	0x00022000
C:\WINDOWS\system32\IPHLPAPI.DLL	0x76D60000	0x00019000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000
C:\WINDOWS\system32\WININET.dll	0x771B0000	0x000AA000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000

9.a) lklmxx.exe - Registry Activities

	- Registry Values Modified:

Key	Name	New Value
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager	Server ID	4

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\CLASSES\CLSID\{8D4B04E1-1331-11D0-81B8-00C04FD85AB4}\INPROCSERVER32		%SystemRoot%\system32\msoeacct.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{8D4B04E1-1331-11D0-81B8-00C04FD85AB4}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001	Name	Microsoft Strong Cryptographic Provider	4
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider	Image Path	rsaenh.dll	4
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider	Type	1	1
HKLM\Software\Microsoft\COM3	Com+Enabled	1	2
HKLM\Software\Microsoft\COM3	REGDBVersion	0x0b00000000000000	2
HKLM\Software\Microsoft\Internet Account Manager\Preconfigured	PreConfigVer	4	1
HKLM\Software\Microsoft\Internet Account Manager\Preconfigured	PreConfigVerNTDS	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1020	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	13	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	6	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager	Default LDAP Account	Active Directory GC	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager	Default Mail Account	00000001	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts	PreConfigVer	4	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts	PreConfigVerNTDS	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	Account Name	pop.rambo.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	Connection Type	3	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	POP3 Prompt for Password	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	POP3 Server	pop.rambo.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	POP3 Skip Account	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	POP3 Use Sicily	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	POP3 User Name	john.ramo	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	SMTP Display Name	John Walker	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	SMTP Email Address	john.ramo@seclab.tuwien.ac.at	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	SMTP Server	seclab.tuwien.ac.at	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	Account Name	Active Directory	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Authentication	2	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Bind DN	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Port	3268	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Resolve Flag	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Search Base	NULL	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Search Return	100	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Secure Connection	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Server	NULL	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Server ID	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Simple Search	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Timeout	60	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP User Name	NULL	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	Account Name	Bigfoot Internet Directory Service	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Authentication	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Logo	%ProgramFiles%\Common Files\Services\bigfoot.bmp	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Search Return	100	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Server	ldap.bigfoot.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Server ID	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Simple Search	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Timeout	60	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP URL	http://www.bigfoot.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	Account Name	VeriSign Internet Directory Service	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Authentication	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Logo	%ProgramFiles%\Common Files\Services\verisign.bmp	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Search Base	NULL	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Search Return	100	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Server	directory.verisign.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Server ID	2	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Simple Search	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Timeout	60	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP URL	http://www.verisign.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	Account Name	WhoWhere Internet Directory Service	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Authentication	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Logo	%ProgramFiles%\Common Files\Services\whowhere.bmp	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Search Return	100	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Server	ldap.whowhere.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Server ID	3	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Simple Search	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Timeout	60	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP URL	http://www.whowhere.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Explorer\Privacy	CleanCookies	0	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Qoyxy	1d7011ec		2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	1609	0	1

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\Software\Classes	1	Key Change,Value Change	3
HKLM\Software\Classes\CLSID	1	Key Change,Value Change	2
HKLM\Software\Microsoft\COM3	1	Key Change,Value Change	6
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1
HKU	1	Key Change,Value Change	3

9.b) lklmxx.exe - File Activities

	- Files Read:

C:\Documents and Settings\Administrator\Local Settings\Application Data\kiet.atu

C:\WINDOWS\Registration\R00000000000b.clb

C:\WINDOWS\system32\rsaenh.dll

PIPE\lsarpc

	- Files Modified:

PIPE\lsarpc

\Device\Ip

\Device\Tcp

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	4

	- Device Control Communication:

File	Control Code	Times
\Device\Tcp	0x00120003	6

	- Memory Mapped Files:

File Name

C:\WINDOWS\WindowsShell.Manifest

C:\WINDOWS\system32\CLBCATQ.DLL

C:\WINDOWS\system32\COMRes.dll

C:\WINDOWS\system32\IPHLPAPI.DLL

C:\WINDOWS\system32\MSOERT2.dll

C:\WINDOWS\system32\WININET.dll

C:\WINDOWS\system32\acctres.dll

C:\WINDOWS\system32\msoeacct.dll

C:\WINDOWS\system32\rpcss.dll

C:\WINDOWS\system32\rsaenh.dll

10. dgwxqncxg.exe

	- General information about this executable

Analysis Reason:	ebexfy.exe wrote to the virtual memory of this process
Filename:	dgwxqncxg.exe
Command Line:	"C:\Program Files\Common Files\dgwxqncxg.exe"
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.DLL	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\PSAPI.DLL	0x76BF0000	0x0000B000

	- Run-time Dlls

Module Name	Base Address	Size
C:\Program Files\Common Files\System\wab32res.dll	0x35F40000	0x0003F000
C:\Program Files\Common Files\System\wab32.dll	0x470D0000	0x00081000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\PSTOREC.DLL	0x5E0C0000	0x0000D000
C:\WINDOWS\system32\msidntld.dll	0x60890000	0x00006000
C:\WINDOWS\system32\msident.dll	0x608A0000	0x0000F000
C:\WINDOWS\system32\msoeacct.dll	0x68810000	0x00042000
C:\WINDOWS\system32\acctres.dll	0x71780000	0x00012000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\MSOERT2.dll	0x76880000	0x00022000
C:\WINDOWS\system32\ATL.DLL	0x76B20000	0x00011000
C:\WINDOWS\system32\IPHLPAPI.DLL	0x76D60000	0x00019000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\WININET.dll	0x771B0000	0x000AA000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000

	- Program output

Stdout:

.............

10.a) dgwxqncxg.exe - Registry Activities

	- Registry Values Modified:

Key	Name	New Value
HKU\S-1-5-21-842925246-1425521274-308236825-500\Identities	Identity Login	622675
HKU\S-1-5-21-842925246-1425521274-308236825-500\Identities	Identity Ordinal	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Identities	Last User ID	{42D8066E-F069-48E2-9549-21646EC1BC68}
HKU\S-1-5-21-842925246-1425521274-308236825-500\Identities	Last Username	Main Identity
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager	Server ID	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Qoyxy	1d7011ec	0x0a7907b1

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\CLASSES\CLSID\{8D4B04E1-1331-11D0-81B8-00C04FD85AB4}\INPROCSERVER32		%SystemRoot%\system32\msoeacct.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{8D4B04E1-1331-11D0-81B8-00C04FD85AB4}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\CLSID\{A9AE6C91-1D1B-11D2-B21A-00C04FA357FA}\INPROCSERVER32		C:\WINDOWS\system32\msident.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{A9AE6C91-1D1B-11D2-B21A-00C04FA357FA}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\	CUAS	0	1
HKLM\SOFTWARE\Microsoft\WAB\DLLPath		C:\Program Files\Common Files\System\wab32.dll	1
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\SYSTEM\Setup	SystemSetupInProgress	0	1
HKLM\Software\Microsoft\COM3	Com+Enabled	1	2
HKLM\Software\Microsoft\COM3	REGDBVersion	0x0b00000000000000	4
HKLM\Software\Microsoft\Internet Account Manager\Preconfigured	PreConfigVer	4	1
HKLM\Software\Microsoft\Internet Account Manager\Preconfigured	PreConfigVerNTDS	1	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	PC	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1020	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	13	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	6	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Identities	Default User ID	{42D8066E-F069-48E2-9549-21646EC1BC68}	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Identities	Identity Ordinal	2	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Identities	Migrated5	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Identities\{42D8066E-F069-48E2-9549-21646EC1BC68}	Identity Ordinal	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Identities\{42D8066E-F069-48E2-9549-21646EC1BC68}	User ID	{42D8066E-F069-48E2-9549-21646EC1BC68}	10
HKU\S-1-5-21-842925246-1425521274-308236825-500\Identities\{42D8066E-F069-48E2-9549-21646EC1BC68}	Username	Main Identity	14
HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle	Language Hotkey	1	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle	Layout Hotkey	2	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager	Default LDAP Account	Active Directory GC	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager	Default Mail Account	00000001	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts	PreConfigVer	4	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts	PreConfigVerNTDS	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	Account Name	pop.rambo.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	Connection Type	3	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	POP3 Prompt for Password	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	POP3 Server	pop.rambo.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	POP3 Skip Account	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	POP3 Use Sicily	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	POP3 User Name	john.ramo	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	SMTP Display Name	John Walker	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	SMTP Email Address	john.ramo@seclab.tuwien.ac.at	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\00000001	SMTP Server	seclab.tuwien.ac.at	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	Account Name	Active Directory	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Authentication	2	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Bind DN	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Port	3268	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Resolve Flag	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Search Base	NULL	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Search Return	100	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Secure Connection	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Server	NULL	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Server ID	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Simple Search	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Timeout	60	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP User Name	NULL	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	Account Name	Bigfoot Internet Directory Service	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Authentication	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Logo	%ProgramFiles%\Common Files\Services\bigfoot.bmp	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Search Return	100	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Server	ldap.bigfoot.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Server ID	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Simple Search	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Timeout	60	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP URL	http://www.bigfoot.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	Account Name	VeriSign Internet Directory Service	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Authentication	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Logo	%ProgramFiles%\Common Files\Services\verisign.bmp	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Search Base	NULL	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Search Return	100	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Server	directory.verisign.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Server ID	2	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Simple Search	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Timeout	60	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP URL	http://www.verisign.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	Account Name	WhoWhere Internet Directory Service	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Authentication	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Logo	%ProgramFiles%\Common Files\Services\whowhere.bmp	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Search Return	100	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Server	ldap.whowhere.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Server ID	3	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Simple Search	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Timeout	60	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP URL	http://www.whowhere.com	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Explorer\Privacy	CleanCookies	0	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Qoyxy	1d7011ec		2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\WAB\WAB4	FirstRun	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\WAB\WAB4	OlkContactRefresh	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\WAB\WAB4	OlkFolderRefresh	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\WAB\WAB4\Wab File Name		C:\Documents and Settings\Administrator\Application Data\Microsoft\Address Book\Administrator.wab	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	1609	0	1

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\Software\Classes	1	Key Change,Value Change	3
HKLM\Software\Classes\CLSID	1	Key Change,Value Change	2
HKLM\Software\Microsoft\COM3	1	Key Change,Value Change	6
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1
HKU	1	Key Change,Value Change	3

10.b) dgwxqncxg.exe - File Activities

	- Files Read:

C:\Documents and Settings\Administrator\Application Data\Microsoft\Address Book\Administrator.wab

C:\WINDOWS\Registration\R00000000000b.clb

PIPE\lsarpc

	- Files Modified:

PIPE\lsarpc

\Device\Ip

\Device\Tcp

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	4

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	8
\Device\Tcp	0x00120003	6

	- Memory Mapped Files:

File Name

C:\Program Files\Common Files\System\wab32.dll

C:\Program Files\Common Files\System\wab32res.dll

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

C:\WINDOWS\WindowsShell.Manifest

C:\WINDOWS\system32\ATL.DLL

C:\WINDOWS\system32\CLBCATQ.DLL

C:\WINDOWS\system32\COMRes.dll

C:\WINDOWS\system32\IPHLPAPI.DLL

C:\WINDOWS\system32\MSCTF.dll

C:\WINDOWS\system32\MSOERT2.dll

C:\WINDOWS\system32\PSTOREC.DLL

C:\WINDOWS\system32\SHELL32.dll

C:\WINDOWS\system32\WININET.dll

C:\WINDOWS\system32\WS2HELP.dll

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\acctres.dll

C:\WINDOWS\system32\comctl32.dll

C:\WINDOWS\system32\imm32.dll

C:\WINDOWS\system32\msident.dll

C:\WINDOWS\system32\msidntld.dll

C:\WINDOWS\system32\msoeacct.dll

C:\WINDOWS\system32\rpcss.dll

	- Directories Monitored:

Directory	Watch subtree	Notify Filter	Count
C:\Documents and Settings\Administrator\Application Data\Microsoft\Address Book	0	Last Write Change	1

11. cmd.exe

	- General information about this executable

Analysis Reason:	Started by 48ebcf4c60.exe
Filename:	cmd.exe
Command Line:	"C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp451b1467.bat"
Process-status at analysis end:	dead
Exit Code:	1

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\WININET.dll	0x771B0000	0x000AA000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\IPHLPAPI.DLL	0x76D60000	0x00019000

11.a) cmd.exe - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\SYSTEM\Setup	SystemSetupInProgress	0	1
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	aFormatTagCache	0x01000000100000000204000014000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	aFormatTagCache	0x01000000100000001100000014000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	aFormatTagCache	0x0100000010000000550000001e000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	aFormatTagCache	0x01000000100000000200000032000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	aFormatTagCache	0x01000000120000006001000016000000610100001c000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFormatTags	3	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	aFormatTagCache	0x010000001000000006000000120000000700000012000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFormatTags	3	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	aFormatTagCache	0x0100000010000000420000001c000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	aFormatTagCache	0x01000000100000003100000014000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	aFormatTagCache	0x01000000100000003001000016000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	aFormatTagCache	0x01000000100000002200000032000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	fdwSupport	1	1
HKLM\Software\Microsoft\Command Processor	AutoRun		1
HKLM\Software\Microsoft\Command Processor	CompletionChar	64	1
HKLM\Software\Microsoft\Command Processor	DefaultColor	0	1
HKLM\Software\Microsoft\Command Processor	EnableExtensions	1	1
HKLM\Software\Microsoft\Command Processor	PathCompletionChar	64	1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	midimapper		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.iac2		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.imaadpcm		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.l3acm		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msadpcm	msadp32.acm	3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msaudio1		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg711		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg723		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msgsm610	msgsm32.acm	3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.sl_anet		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.trspch		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.I420		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.M261		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.M263		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.cvid		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv31		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv32		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv41		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv50		1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iyuv		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.mrle		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.msvc		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.uyvy		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.yuy2		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.yvu9		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.yvyu		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	wavemapper		2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	PC	1
HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	wheel	1	1
HKLM\System\CurrentControlSet\Control\Nls\Language Groups	1	1	1
HKLM\System\CurrentControlSet\Control\Nls\Locale	00000C07	1	1
HKLM\System\CurrentControlSet\Control\ProductOptions	ProductType	WinNT	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1020	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	13	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	6	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor	CompletionChar	9	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor	DefaultColor	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor	EnableExtensions	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Explorer\Privacy	CleanCookies	0	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Multimedia\Audio	SystemFormats	CD Quality,Radio Quality,Telephone Quality	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Qoyxy	1d7011ec	0x0a7907b1	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Local Settings	%USERPROFILE%\Local Settings	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Personal	%USERPROFILE%\My Documents	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	1609	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	1406	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	1609	0	1

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1

11.b) cmd.exe - File Activities

	- Files Deleted:

C:\48ebcf4c60.exe

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp451b1467.bat

	- Files Read:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp451b1467.bat

PIPE\lsarpc

	- Files Modified:

PIPE\lsarpc

\Device\Ip

\Device\Tcp

	- File System Control Communication:

File	Control Code	Times
C:\Program Files\Common Files\	0x00090028	1
PIPE\lsarpc	0x0011C017	4

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	1
\Device\Tcp	0x00120003	6

	- Memory Mapped Files:

File Name

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp451b1467.bat

C:\WINDOWS\AppPatch\AcGenral.DLL

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

C:\WINDOWS\WindowsShell.Manifest

C:\WINDOWS\system32\IPHLPAPI.DLL

C:\WINDOWS\system32\MSACM32.dll

C:\WINDOWS\system32\SHELL32.dll

C:\WINDOWS\system32\ShimEng.dll

C:\WINDOWS\system32\UxTheme.dll

C:\WINDOWS\system32\WININET.dll

C:\WINDOWS\system32\WINMM.dll

C:\WINDOWS\system32\WS2HELP.dll

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\comctl32.dll

C:\Windows\AppPatch\sysmain.sdb

Analysis Report for 48ebcf4c6039afb8b3ad94a92bd83c6f-48ebcf4c6039afb8b3ad94a92bd83c6f-1334028614

Summary:

Table of Contents