Download Link: hxxp://58.65.239.42/ldc3hs/sev.exe File Name: sev.exe VirusTotal Result: 12/32 (37.50%) AntiVir 7.8.0.8 2008.04.22 Worm/Zhelatin.AQ AVG 7.5.0.516 2008.04.21 I-Worm/Nuwar.R BitDefender 7.2 2008.04.22 Trojan.Peed.PJ CAT-QuickHeal 9.50 2008.04.21 (Suspicious) - DNAScan DrWeb 4.44.0.09170 2008.04.22 Trojan.Packed.431 F-Secure 6.70.13260.0 2008.04.22 Trojan-Downloader.Win32.Cntr.q Ikarus T3.1.1.26 2008.04.22 Trojan-Downloader.Win32.Cntr.q Kaspersky 7.0.0.125 2008.04.22 Trojan-Downloader.Win32.Cntr.q Panda 9.0.0.4 2008.04.21 Suspicious file Prevx1 V2 2008.04.22 Covert.Sys.Exec Sophos 4.28.0 2008.04.22 Mal/Generic-A Webwasher-Gateway 6.6.2 2008.04.22 Worm.Zhelatin.AQ File Info: File size: 9728 bytes MD5...: 07f982b0b439e348556eafe89d662778 SHA1..: 2b6b176b41918d6c5b75a49c596e438c87a38800 SHA256: 24db93f9373148a4cda6699c4c9990bd4b01030f4b1b623dee5be10cc0bf1c4d SHA512: fe60e48de42494561f712efd39f338861772778bb4f9b496d5c49d9547974a40 afcb974117ea1c341dd92a7315f64234119c61f0269859e5fc2aa2f4ac6a1897 ***** PE Structure ************************************************* entry point address.: 0x401007 time date stamp.....: 0x480c3ddb (Mon Apr 21 07:10:19 2008) machine type.......: 0x14c (I386) ***** PE Header **************************************************** Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0001 Time/Date stamp: 480C3DDB Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 0103 Magic: 010B Linker version (major): 08 Linker version (minor): 00 Size of code: 00002400 Size of initialized data: 00000000 Size of uninitialized data: 00000000 Address of entry point: 00001007 Base of code: 00001000 Base of data: 00004000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00004000 Size of headers: 00000200 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0600 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 ***** PE Sections ************************************************** Section VirtSize VirtAddr PhysSize PhysAddr Flags .text 00002394 00001000 00002400 00000200 E0000020 Process Details: Filename: sev.exe MD5: 07f982b0b439e348556eafe89d662778 SHA-1: 2b6b176b41918d6c5b75a49c596e438c87a38800 File Size: 9728 Bytes Registry Values Changed: Key Name New Value HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable 0 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common AppData C:\Documents and Settings\All Users\Application Data HKU\S-1-5-21-1229272821-1004336348-527237240-1003\ WindowsSubVersion 41717788 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders AppData C:\Documents and Settings\user\Application Data HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cache C:\Documents and Settings\user\Local Settings\Temporary Internet Files HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cookies C:\Documents and Settings\user\Cookies HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders History C:\Documents and Settings\user\Local Settings\History HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ AutoDetect 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ IntranetName 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ProxyBypass 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ UNCAsIntranet 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings MigrateProxy 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable 0 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ windows\CurrentVersion\Internet Settings\Connections SavedLegacySettings 0x460000005f00000001000000000000000000000000000000040000000000 Registry Read: Key Name Value Times HKLM\SOFTWARE\CLASSES\MIME\DATABASE\CONTENT TYPE\TEXT/HTML Extension .htm 4 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings EnablePunycode 1 1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings UrlEncoding 0x00000000 2 HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters Transports 0x5400630070006900700000004e0065007400420049004f00530000000000 2 HKLM\Software\Microsoft\Rpc\SecurityService 10 secur32.dll 1 HKLM\Software\Microsoft\Tracing EnableConsoleTracing 0 1 HKLM\Software\Microsoft\Tracing\RASAPI32 ConsoleTracingMask 4294901760 2 HKLM\Software\Microsoft\Tracing\RASAPI32 EnableConsoleTracing 0 2 HKLM\Software\Microsoft\Tracing\RASAPI32 EnableFileTracing 0 2 HKLM\Software\Microsoft\Tracing\RASAPI32 FileDirectory %windir%\tracing 4 HKLM\Software\Microsoft\Tracing\RASAPI32 FileTracingMask 4294901760 2 HKLM\Software\Microsoft\Tracing\RASAPI32 MaxFileSize 1048576 2 HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList AllUsersProfile All Users 8 HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList DefaultUserProfile Default User 8 HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ProfilesDirectory %SystemDrive%\Documents and Settings 16 HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1229272821-1004336348-527237240-1003 ProfileImagePath %SystemDrive%\Documents and Settings\user 8 HKLM\Software\Microsoft\Windows\CurrentVersion CommonFilesDir C:\Program Files\Common Files 8 HKLM\Software\Microsoft\Windows\CurrentVersion ProgramFilesDir C:\Program Files 8 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Common AppData %ALLUSERSPROFILE%\Application Data 1 HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content PerUserItem 1 1 HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies PerUserItem 1 1 HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History PerUserItem 1 1 HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\msn.com 1 HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\msn.com\related http 4 1 HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ComputerName USER 10 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll Capabilities 16464 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll Comment Digest SSPI Authentication Package 2 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll Name Digest 2 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll RpcId 65535 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll TokenSize 65535 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll Type 49 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll Version 1 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll Capabilities 55 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll Comment DPA Security Package 2 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll Name DPA 2 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll RpcId 17 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll TokenSize 768 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll Type 49 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll Version 1 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll Capabilities 55 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll Comment MSN Security Package 2 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll Name MSN 2 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll RpcId 18 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll TokenSize 768 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll Type 49 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll Version 1 1 HKLM\System\CurrentControlSet\Control\SecurityProviders SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll 2 HKLM\System\CurrentControlSet\Control\SecurityProviders\SaslProfiles GSSAPI Kerberos 1 HKLM\System\CurrentControlSet\Control\Session Manager\Environment ComSpec %SystemRoot%\system32\cmd.exe 16 HKLM\System\CurrentControlSet\Control\Session Manager\Environment FP_NO_HOST_CHECK NO 16 HKLM\System\CurrentControlSet\Control\Session Manager\Environment NUMBER_OF_PROCESSORS 1 16 HKLM\System\CurrentControlSet\Control\Session Manager\Environment OS Windows_NT 16 HKLM\System\CurrentControlSet\Control\Session Manager\Environment PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH 16 HKLM\System\CurrentControlSet\Control\Session Manager\Environment PROCESSOR_ARCHITECTURE x86 16 HKLM\System\CurrentControlSet\Control\Session Manager\Environment PROCESSOR_IDENTIFIER x86 Family 6 Model 3 Stepping 3, GenuineIntel 16 HKLM\System\CurrentControlSet\Control\Session Manager\Environment PROCESSOR_LEVEL 6 16 HKLM\System\CurrentControlSet\Control\Session Manager\Environment PROCESSOR_REVISION 0303 16 HKLM\System\CurrentControlSet\Control\Session Manager\Environment Path %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem 16 HKLM\System\CurrentControlSet\Control\Session Manager\Environment TEMP %SystemRoot%\TEMP 16 HKLM\System\CurrentControlSet\Control\Session Manager\Environment TMP %SystemRoot%\TEMP 16 HKLM\System\CurrentControlSet\Control\Session Manager\Environment _NT_SYMBOL_PATH srv*C:\Symbols*http://msdl.microsoft.com/download/symbols 16 HKLM\System\CurrentControlSet\Control\Session Manager\Environment windir %SystemRoot% 16 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock HelperDllName %SystemRoot%\System32\wshtcpip.dll 1 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock Mapping 0x0b0000000300000002000000010000000600000002000000010000000000 1 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock MaxSockaddrLength 16 1 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock MinSockaddrLength 16 1 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock UseDelayedAcceptance 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters WinSock_Registry_Version 2.0 4 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 Num_Catalog_Entries 3 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 Serial_Access_Num 4 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 DisplayString Tcpip 4 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Enabled 1 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 LibraryPath %SystemRoot%\System32\mswsock.dll 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ProviderId 0x409d05229e7ecf11ae5a00aa00a7112b 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 StoresServiceClassInfo 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 SupportedNameSpace 12 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Version 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 DisplayString NTDS 4 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Enabled 1 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 LibraryPath %SystemRoot%\System32\winrnr.dll 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ProviderId 0xee37263b80e5cf11a55500c04fd8d4ac 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 StoresServiceClassInfo 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 SupportedNameSpace 32 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Version 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 DisplayString Network Location Awareness (NLA) Namespace 4 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Enabled 1 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 LibraryPath %SystemRoot%\System32\mswsock.dll 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ProviderId 0x3a244266a83ba64abaa52e0bd71fdd83 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 StoresServiceClassInfo 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 SupportedNameSpace 15 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Version 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 Next_Catalog_Entry_ID 1012 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 Num_Catalog_Entries 11 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 Serial_Access_Num 4 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 PackedCatalogItem %SystemRoot%\system32\rsvpsp.d 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 PackedCatalogItem %SystemRoot%\system32\rsvpsp.d 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\Setup SystemSetupInProgress 0 2 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Environment TEMP %USERPROFILE%\Local Settings\Temp 16 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Environment TMP %USERPROFILE%\Local Settings\Temp 16 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings CertificateRevocation 0 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings DisableCachingOfSSLPages 0 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings EnableHttp1_1 1 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings EnableNegotiate 1 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings MimeExclusionListForCache multipart/mixed multipart/x-mixed-replace multipart/x-byteranges 4 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings SecureProtocols 160 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings WarnOnPost 0x01000000 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings WarnOnZoneCrossing 0 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ParseAutoexec 1 8 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders AppData %USERPROFILE%\Application Data 7 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Cache %USERPROFILE%\Local Settings\Temporary Internet Files 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Cookies %USERPROFILE%\Cookies 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders History %USERPROFILE%\Local Settings\History 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache Signature Client UrlCache MMF Ver 5.2 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Content CacheLimit 163410 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Content CachePrefix 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies CacheLimit 8192 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies CachePrefix Cookie: 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022 CacheLimit 8192 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022 CacheOptions 11 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022 CachePath %USERPROFILE%\Local Settings\History\History.IE5\MSHist012007101520071022 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022 CachePrefix :2007101520071022: 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022 CacheRepair 0 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029 CacheLimit 8192 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029 CacheOptions 11 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029 CachePath %USERPROFILE%\Local Settings\History\History.IE5\MSHist012007102220071029 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029 CachePrefix :2007102220071029: 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029 CacheRepair 0 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102 CacheLimit 8192 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102 CacheOptions 11 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102 CachePath %USERPROFILE%\Local Settings\History\History.IE5\MSHist012007110120071102 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102 CachePrefix :2007110120071102: 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102 CacheRepair 0 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData CacheLimit 1000 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData CacheOptions 8 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData CachePath %USERPROFILE%\UserData 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData CachePrefix UserData 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData CacheRepair 0 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat CacheLimit 8192 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat CacheOptions 0 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat CachePath %USERPROFILE%\Local Settings\Application Data\Microsoft\Feeds Cache 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat CachePrefix feedplat: 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat CacheRepair 0 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\History CacheLimit 8192 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\History CachePrefix Visited: 2 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ AutoDetect 1 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ @ivt 1 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ file 3 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ ftp 3 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ http 3 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ https 3 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ shell 0 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Flags 33 2 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Flags 475 2 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Flags 71 2 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1A10 1 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Flags 1 2 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Flags 3 2 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings MigrateProxy 1 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable 0 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ windows\CurrentVersion\Internet Settings\Connections DefaultConnectionSettings 0x3c0000000200000001000000000000000000000000000000040000000000 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ windows\CurrentVersion\Internet Settings\Connections SavedLegacySettings 0x460000005e00000001000000000000000000000000000000040000000000 4 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment APPDATA C:\Documents and Settings\user\Application Data 16 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment CLIENTNAME Console 16 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment HOMEDRIVE C: 16 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment HOMEPATH \Documents and Settings\user 16 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment HOMESHARE 16 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment LOGONSERVER \\USER 16 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment SESSIONNAME Console Registry Monitored: Key Name Watch subtree Notify Filter Count HKLM\Software\Microsoft\Tracing\RASAPI32 0 Attributes Change,Value Change,Security Descriptor Change 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 0 Key Change 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 0 Key Change 1 Files Created: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\5E7EYQDH\cntr[1].htm C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\BNPHK11H\cntr[1].htm C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\C4H05OWL\coco[1].exe C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\MBYNVPWZ\alt12[1].exe C:\WINDOWS\system32\alt12.exe.exe C:\WINDOWS\system32\coco.exe.exe C:\WINDOWS\system32\svcp.csv C:\WINDOWS\system32\winsub.xml Files Read: C:\WINDOWS\system32\svcp.csv PIPE\ROUTER PIPE\lsarpc c:\autoexec.bat Files Modified: C:\WINDOWS\system32\svcp.csv PIPE\ROUTER PIPE\lsarpc \Device\Afd\AsyncConnectHlp Process Started: Filename: coco.exe.exe MD5: cf277a2fcbc8c8c01570eab74317c0c3 SHA-1: c710cc2ada0385ff5fc6a23e43398bfa5cba3291 File Size: 133120 Bytes Command Line: coco.exe.exe Popup: Window Name Window Text coco.exe.exe &Don't Send coco.exe.exe has encountered a problem and needs to close. We are sorry for the inconvenience. coco.exe.exe has encountered a problem and needs to close. We are sorry for the inconvenience. If you were in the middle of something, the information you were working on might be lost. Please tell Microsoft about this problem. We have created an error report that you can send to us. We will treat this report as confidential and anonymous. To see what data this error report contains, Details &Send Error Report Registry Read: Key Name Value Times HKLM\Software\Microsoft\PCHealth\ErrorReporting AllOrNone 1 1 HKLM\Software\Microsoft\PCHealth\ErrorReporting DoReport 1 1 HKLM\Software\Microsoft\PCHealth\ErrorReporting IncludeKernelFaults 1 1 HKLM\Software\Microsoft\PCHealth\ErrorReporting IncludeMicrosoftApps 1 1 HKLM\Software\Microsoft\PCHealth\ErrorReporting IncludeWindowsApps 1 1 HKLM\Software\Microsoft\PCHealth\ErrorReporting ShowUI 1 1 HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug Auto 1 1 HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug Debugger drwtsn32 -p %ld -e %ld -g 1 HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ComputerName USER 1 HKLM\System\Setup SystemSetupInProgress 0 1 Files Created: C:\DOCUME~1\user\LOCALS~1\Temp\a628_appcompat.txt Files Read: C:\WINDOWS\system32\winsock.dll PIPE\lsarpc Files Modified: C:\DOCUME~1\user\LOCALS~1\Temp\a628_appcompat.txt PIPE\lsarpc Process Initiated: C:\WINDOWS\system32\dwwin.exe -x -s 156 C:\WINDOWS\system32\drwtsn32 -p 756 -e 120 -g Process Started: Filename: alt12.exe.exe MD5: cea1c8dd332a40a0cc5339ef10e049bc SHA-1: 421bb1604c47bbf57330c225cb100fa14f7a01b2 File Size: 391168 Bytes Command Line: alt12.exe.exe Registry Changed: Key Name New Value HKLM\Software\Microsoft\Windows\CurrentVersion\Run PromoReg C:\WINDOWS\system32\alt12.exe.exe HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion RList 0x000000fe74727172746768796969000024010000c6d000d53c23ac934e6d Registry Reads: Key Name Value Times HKLM\System\CurrentControlSet\Services\WinSock2\Parameters WinSock_Registry_Version 2.0 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 Num_Catalog_Entries 3 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 Serial_Access_Num 4 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 DisplayString Tcpip 4 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Enabled 1 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 LibraryPath %SystemRoot%\System32\mswsock.dll 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ProviderId 0x409d05229e7ecf11ae5a00aa00a7112b 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 StoresServiceClassInfo 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 SupportedNameSpace 12 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Version 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 DisplayString NTDS 4 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Enabled 1 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 LibraryPath %SystemRoot%\System32\winrnr.dll 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ProviderId 0xee37263b80e5cf11a55500c04fd8d4ac 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 StoresServiceClassInfo 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 SupportedNameSpace 32 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Version 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 DisplayString Network Location Awareness (NLA) Namespace 4 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Enabled 1 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 LibraryPath %SystemRoot%\System32\mswsock.dll 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ProviderId 0x3a244266a83ba64abaa52e0bd71fdd83 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 StoresServiceClassInfo 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 SupportedNameSpace 15 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Version 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 Next_Catalog_Entry_ID 1012 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 Num_Catalog_Entries 11 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 Serial_Access_Num 4 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 PackedCatalogItem %SystemRoot%\system32\rsvpsp.d 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 PackedCatalogItem %SystemRoot%\system32\rsvpsp.d 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 Registry Keys Monitored: Key Name Watch subtree Notify Filter Count HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 0 Key Change 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 0 Key Change 1 Network Activity: HTTP Communication: From SandBox:1034 to 69.41.185.66:80 - [69.41.185.66] Request: GET /aff/cntr.php?b=688;5&c=35582&d=119 Response: 200 "OK" Request: GET /aff/dir/coco.exe Response: 200 "OK" Request: GET /aff/alt12.exe Response: 200 "OK" Request: GET /aff/cntr.php?e=!!41717788_119_1_2_1_14_1&x=2::11&y=19900 Response: 200 "OK" SMTP Communication: From SandBox:1035 to 64.233.185.114:25 Sender Address: none to Recipient: none Subject: none Email Content: none