| Activities of msg6475.exe (Download Link: hxxp://59.163.254.214/Tim/msg6475.exe) | |
| New Files | shockwave.exe C:\DOCUME~1\Sandbox\LOCALS~1\Temp\bt6378.bat nul C:\WINDOWS\system32\ctzz.dll C:\DOCUME~1\Sandbox\LOCALS~1\Temp\~7.tmp C:\WINDOWS\system32\drivers\etc\hosts \Device\RasAcd C:\Documents and Settings\Sandbox\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT \Device\RasAcd \Device\RasAcd \Device\RasAcd \Device\RasAcd \Device\RasAcd |
| Opened Files |
C:\msg6475.exe C:\msg6475.exe \\.\PIPE\wkssvc \\.\PIPE\lsarpc C:\WINDOWS\Registration\R000000000008.clb \SystemRoot\AppPatch\sysmain.sdb \SystemRoot\AppPatch\systest.sdb \Device\NamedPipe\ShimViewer C:\WINDOWS\system32\shockwave.exe C:\WINDOWS\system32\shockwave.exe \SystemRoot\AppPatch\sysmain.sdb \SystemRoot\AppPatch\systest.sdb \Device\NamedPipe\ShimViewer C:\WINDOWS\system32\cmd.exe C:\DOCUME~1\Sandbox\LOCALS~1\Temp\bt6378.bat \SystemRoot\AppPatch\sysmain.sdb \SystemRoot\AppPatch\systest.sdb \Device\NamedPipe\ShimViewer C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\find.exe C:\WINDOWS\system32\ctzz.dll C:\WINDOWS\system32\reg.exe \\.\PIPE\wkssvc C:\WINDOWS\system32\shdocvw.dll C:\WINDOWS\Registration\R000000000008.clb \\.\PIPE\lsarpc C:\Program Files\Internet Explorer\iexplore.exe C:\DOCUME~1\Sandbox\LOCALS~1\Temp\~7.tmp C:\DOCUME~1\Sandbox\LOCALS~1\Temp\~7.tmp C:\WINDOWS\Registration\R000000000008.clb C:\WINDOWS\System32\cscui.dll \\.\shadow \\.\PIPE\lsarpc C:\WINDOWS\system32\shdocvw.dll C:\WINDOWS\system32\stdole2.tlb c:\autoexec.bat C:\WINDOWS\system32\iepeers.dll \SystemRoot\AppPatch\sysmain.sdb \SystemRoot\AppPatch\systest.sdb \Device\NamedPipe\ShimViewer C:\WINDOWS\system32\nslookup.exe C:\WINDOWS\system32\find.exe \SystemRoot\AppPatch\sysmain.sdb \SystemRoot\AppPatch\systest.sdb \Device\NamedPipe\ShimViewer C:\WINDOWS\system32\nslookup.exe C:\WINDOWS\system32\find.exe \SystemRoot\AppPatch\sysmain.sdb \SystemRoot\AppPatch\systest.sdb \Device\NamedPipe\ShimViewer C:\WINDOWS\system32\nslookup.exe C:\WINDOWS\system32\find.exe \SystemRoot\AppPatch\sysmain.sdb \SystemRoot\AppPatch\systest.sdb \Device\NamedPipe\ShimViewer C:\WINDOWS\system32\nslookup.exe C:\WINDOWS\system32\find.exe \SystemRoot\AppPatch\sysmain.sdb \SystemRoot\AppPatch\systest.sdb \Device\NamedPipe\ShimViewer C:\WINDOWS\system32\nslookup.exe C:\WINDOWS\system32\find.exe |
| Deleted Files | |
| Chronological Order |
Open File: C:\msg6475.exe (OPEN_EXISTING) Open File: C:\msg6475.exe (OPEN_EXISTING) Find File: C:\msg6475.exe Get File Attributes: shockwave.exe Flags: (SECURITY_ANONYMOUS) Create File: shockwave.exe Set File Time: C:\WINDOWS\system32\shockwave.exe Set File Attributes: shockwave.exe Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Open File: \\.\PIPE\wkssvc (OPEN_EXISTING) Get File Attributes: C:\WINDOWS\system32 Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\WINDOWS\system32\shockwave.exe Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS) Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Get File Attributes: C:\Documents and Settings\Sandbox\My Documents\desktop.ini Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\Documents and Settings\All Users\Documents\desktop.ini Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS) Open File: C:\WINDOWS\Registration\R000000000008.clb (OPEN_EXISTING) Get File Attributes: C:\WINDOWS\system32\shockwave.exe:Zone.Identifier Flags: (SECURITY_ANONYMOUS) Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\WINDOWS\system32\shockwave.exe () Find File: shockwave.exe Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp Flags: (SECURITY_ANONYMOUS) Open File: C:\WINDOWS\system32\shockwave.exe (OPEN_EXISTING) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\bt6378.bat Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\bt6378.bat Flags: (FILE_ATTRIBUTE_HIDDEN,SECURITY_ANONYMOUS) Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\WINDOWS\system32\cmd.exe () Find File: cmd.exe Get File Attributes: C:\WINDOWS\system32 Flags: (SECURITY_ANONYMOUS) Find File: C:\WINDOWS Find File: C:\WINDOWS\system32 Find File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\bt6378.bat Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\bt6378.bat (OPEN_EXISTING) Find File: C:\WINDOWS\system32\cmd.exe Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\WINDOWS\system32\cmd.exe () Find File: cmd.exe Find File: C:\WINDOWS\system32\find.* Find File: C:\WINDOWS\system32\find.COM Find File: C:\WINDOWS\system32\find.EXE Create File: nul Open File: C:\WINDOWS\system32\find.exe () Find File: find.exe Find File: C:\WINDOWS\system32\ctzz.dll Create File: C:\WINDOWS\system32\ctzz.dll Find File: C:\WINDOWS\system32\reg.* Find File: C:\WINDOWS\system32\reg.COM Find File: C:\WINDOWS\system32\reg.EXE Open File: C:\WINDOWS\system32\ctzz.dll (OPEN_EXISTING) Open File: C:\WINDOWS\system32\reg.exe () Find File: reg.exe Find File: C:\WINDOWS\system32\iexplore.exe Find File: C:\WINDOWS\system32\iexplore.exe.* Find File: C:\WINDOWS\iexplore.exe Find File: C:\WINDOWS\iexplore.exe.* Find File: C:\WINDOWS\System32\Wbem\iexplore.exe Find File: C:\WINDOWS\System32\Wbem\iexplore.exe.* Open File: \\.\PIPE\wkssvc (OPEN_EXISTING) Get File Attributes: iexplore.exe Flags: (SECURITY_ANONYMOUS) Open File: C:\WINDOWS\system32\shdocvw.dll (OPEN_EXISTING) Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS) Open File: C:\WINDOWS\Registration\R000000000008.clb (OPEN_EXISTING) Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS) Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Get File Attributes: C:\Program Files\Internet Explorer\iexplore.exe Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\Program Files\Internet Explorer\iexplore.exe:Zone.Identifier Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\Program Files\desktop.ini Flags: (SECURITY_ANONYMOUS) Open File: C:\Program Files\Internet Explorer\iexplore.exe () Find File: iexplore.exe Get File Attributes: C:\WINDOWS\system32\cmd.exe Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\~7.tmp Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\~7.tmp (OPEN_EXISTING) Create File: C:\WINDOWS\system32\drivers\etc\hosts Find File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\~7.tmp Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\~7.tmp Flags: (SECURITY_ANONYMOUS) Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\~7.tmp (OPEN_EXISTING) Get File Attributes: C:\WINDOWS\system32 Flags: (SECURITY_ANONYMOUS) Find File: C:\WINDOWS Find File: C:\WINDOWS\system32 Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS) Open File: C:\WINDOWS\Registration\R000000000008.clb (OPEN_EXISTING) Open File: C:\WINDOWS\System32\cscui.dll (OPEN_EXISTING) Open File: \\.\shadow (OPEN_EXISTING) Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS) Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Get File Attributes: C:\Documents and Settings\Sandbox\Favorites\desktop.ini Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\Documents and Settings\Sandbox\Favorites\Links Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\desktop.ini Flags: (SECURITY_ANONYMOUS) Open File: C:\WINDOWS\system32\shdocvw.dll (OPEN_EXISTING) Open File: C:\WINDOWS\system32\stdole2.tlb (OPEN_EXISTING) Get File Attributes: c:\autoexec.bat Flags: (SECURITY_ANONYMOUS) Open File: c:\autoexec.bat (OPEN_EXISTING) Find File: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk Find File: C:\WINDOWS\system32\Ras\*.pbk Find File: C:\Documents and Settings\Sandbox\Application Data\Microsoft\Network\Connections\Pbk\*.pbk Create/Open File: \Device\RasAcd (OPEN_ALWAYS) Open File: C:\WINDOWS\system32\iepeers.dll (OPEN_EXISTING) Get File Attributes: C:\Documents and Settings\Sandbox\Local Settings\History\desktop.ini Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\WINDOWS\system32\NOTEPAD.EXE Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\Documents and Settings\Sandbox\Local Settings\Application Data\Microsoft Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\Documents and Settings\Sandbox\Local Settings\Application Data\Microsoft\Internet Explorer Flags: (SECURITY_ANONYMOUS) Create/Open File: C:\Documents and Settings\Sandbox\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT (OPEN_ALWAYS) Get File Attributes: C:\WINDOWS\system32 Flags: (SECURITY_ANONYMOUS) Find File: C:\WINDOWS Find File: C:\WINDOWS\system32 Find File: C:\WINDOWS\system32\nslookup.* Find File: C:\WINDOWS\system32\nslookup.COM Find File: C:\WINDOWS\system32\nslookup.EXE Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\WINDOWS\system32\nslookup.exe () Find File: nslookup.exe Find File: C:\WINDOWS\system32\find.* Find File: C:\WINDOWS\system32\find.COM Find File: C:\WINDOWS\system32\find.EXE Open File: C:\WINDOWS\system32\find.exe () Find File: find.exe Create/Open File: \Device\RasAcd (OPEN_ALWAYS) Get File Attributes: C:\WINDOWS\system32 Flags: (SECURITY_ANONYMOUS) Find File: C:\WINDOWS Find File: C:\WINDOWS\system32 Find File: C:\WINDOWS\system32\nslookup.* Find File: C:\WINDOWS\system32\nslookup.COM Find File: C:\WINDOWS\system32\nslookup.EXE Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\WINDOWS\system32\nslookup.exe () Find File: nslookup.exe Find File: C:\WINDOWS\system32\find.* Find File: C:\WINDOWS\system32\find.COM Find File: C:\WINDOWS\system32\find.EXE Open File: C:\WINDOWS\system32\find.exe () Find File: find.exe Create/Open File: \Device\RasAcd (OPEN_ALWAYS) Get File Attributes: C:\WINDOWS\system32 Flags: (SECURITY_ANONYMOUS) Find File: C:\WINDOWS Find File: C:\WINDOWS\system32 Find File: C:\WINDOWS\system32\nslookup.* Find File: C:\WINDOWS\system32\nslookup.COM Find File: C:\WINDOWS\system32\nslookup.EXE Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\WINDOWS\system32\nslookup.exe () Find File: nslookup.exe Find File: C:\WINDOWS\system32\find.* Find File: C:\WINDOWS\system32\find.COM Find File: C:\WINDOWS\system32\find.EXE Open File: C:\WINDOWS\system32\find.exe () Find File: find.exe Create/Open File: \Device\RasAcd (OPEN_ALWAYS) Get File Attributes: C:\WINDOWS\system32 Flags: (SECURITY_ANONYMOUS) Find File: C:\WINDOWS Find File: C:\WINDOWS\system32 Find File: C:\WINDOWS\system32\nslookup.* Find File: C:\WINDOWS\system32\nslookup.COM Find File: C:\WINDOWS\system32\nslookup.EXE Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\WINDOWS\system32\nslookup.exe () Find File: nslookup.exe Find File: C:\WINDOWS\system32\find.* Find File: C:\WINDOWS\system32\find.COM Find File: C:\WINDOWS\system32\find.EXE Open File: C:\WINDOWS\system32\find.exe () Find File: find.exe Create/Open File: \Device\RasAcd (OPEN_ALWAYS) Get File Attributes: C:\WINDOWS\system32 Flags: (SECURITY_ANONYMOUS) Find File: C:\WINDOWS Find File: C:\WINDOWS\system32 Find File: C:\WINDOWS\system32\nslookup.* Find File: C:\WINDOWS\system32\nslookup.COM Find File: C:\WINDOWS\system32\nslookup.EXE Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\WINDOWS\system32\nslookup.exe () Find File: nslookup.exe Find File: C:\WINDOWS\system32\find.* Find File: C:\WINDOWS\system32\find.COM Find File: C:\WINDOWS\system32\find.EXE Open File: C:\WINDOWS\system32\find.exe () Find File: find.exe Create/Open File: \Device\RasAcd (OPEN_ALWAYS) |
| Registry Changes by all processes | |
| Create or Open | |
| Changes | HKEY_CURRENT_USER\Software\WinRAR SFX "C%%WINDOWS%system32%" = C:\WINDOWS\system32\ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "ShockwavePlugin" = C:\WINDOWS\system32\shockwave.exe |
| Reads | HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "EnableExtensions" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DefaultColor" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "CompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "AutoRun" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "EnableExtensions" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DefaultColor" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "CompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "AutoRun" HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility "DisableAppCompat" HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32 "" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "EnableExtensions" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DefaultColor" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "CompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "AutoRun" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "EnableExtensions" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DefaultColor" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "CompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "AutoRun" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "ShockwavePlugin" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility "DisableAppCompat" HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{a5e46e3a-8849-11d1-9d8c-00c04fc99d61}\InProcServer32 "" HKEY_CLASSES_ROOT\.htm "" HKEY_CLASSES_ROOT\.htm "Content Type" HKEY_CLASSES_ROOT\.html "" HKEY_CLASSES_ROOT\.html "Content Type" HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{5b4dae26-b807-11d0-9815-00c04fd91972}\InProcServer32 "" HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{01e04581-4eee-11d0-bfe9-00aa005b4383}\InProcServer32 "" HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{750fdf0e-2a26-11d1-a3ea-080036587f03}\InProcServer32 "" HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0e5cbf21-d15f-11d0-8301-00aa005b4383}\InProcServer32 "" HKEY_CLASSES_ROOT\http "EditFlags" HKEY_CLASSES_ROOT\http "URL Protocol" HKEY_CLASSES_ROOT\https "EditFlags" HKEY_CLASSES_ROOT\https "URL Protocol" HKEY_CLASSES_ROOT\ftp "EditFlags" HKEY_CLASSES_ROOT\ftp "URL Protocol" HKEY_CLASSES_ROOT\gopher "EditFlags" HKEY_CLASSES_ROOT\gopher "URL Protocol" HKEY_CLASSES_ROOT\telnet "" HKEY_CLASSES_ROOT\telnet "EditFlags" HKEY_CLASSES_ROOT\telnet "URL Protocol" HKEY_CLASSES_ROOT\telnet\DefaultIcon "" HKEY_CLASSES_ROOT\telnet\shell\open\command "" HKEY_CLASSES_ROOT\rlogin "" HKEY_CLASSES_ROOT\rlogin "EditFlags" HKEY_CLASSES_ROOT\rlogin "URL Protocol" HKEY_CLASSES_ROOT\rlogin\DefaultIcon "" HKEY_CLASSES_ROOT\rlogin\shell\open\command "" HKEY_CLASSES_ROOT\tn3270 "" HKEY_CLASSES_ROOT\tn3270 "EditFlags" HKEY_CLASSES_ROOT\tn3270 "URL Protocol" HKEY_CLASSES_ROOT\tn3270\DefaultIcon "" HKEY_CLASSES_ROOT\tn3270\shell\open\command "" HKEY_CLASSES_ROOT\mailto "" HKEY_CLASSES_ROOT\mailto "EditFlags" HKEY_CLASSES_ROOT\mailto "URL Protocol" HKEY_CLASSES_ROOT\mailto\DefaultIcon "" HKEY_CLASSES_ROOT\mailto\shell\open\command "" HKEY_CLASSES_ROOT\news "" HKEY_CLASSES_ROOT\news "EditFlags" HKEY_CLASSES_ROOT\news "URL Protocol" HKEY_CLASSES_ROOT\news\DefaultIcon "" HKEY_CLASSES_ROOT\news\shell\open\command "" HKEY_CLASSES_ROOT\.url "" HKEY_CLASSES_ROOT\InternetShortcut "" HKEY_CLASSES_ROOT\InternetShortcut "EditFlags" HKEY_CLASSES_ROOT\InternetShortcut "IsShortcut" HKEY_CLASSES_ROOT\InternetShortcut "NeverShowExt" HKEY_CLASSES_ROOT\InternetShortcut\CLSID "" HKEY_CLASSES_ROOT\InternetShortcut\DefaultIcon "" HKEY_CLASSES_ROOT\InternetShortcut\shellex\IconHandler "" HKEY_CLASSES_ROOT\InternetShortcut\shellex\PropertySheetHandlers\{FBF23B40-E3F0-101B-8488-00AA003E56F8} "" HKEY_CLASSES_ROOT\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8} "" HKEY_CLASSES_ROOT\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8}\InProcServer32 "" HKEY_CLASSES_ROOT\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8}\InProcServer32 "ThreadingModel" HKEY_CLASSES_ROOT\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8}\InProcServer32 "LoadWithoutCOM" HKEY_CLASSES_ROOT\http\shell\open\command "" HKEY_CLASSES_ROOT\http\shell\open\ddeexec "" HKEY_CLASSES_ROOT\http\shell\open\ddeexec "NoActivateHandler" HKEY_CLASSES_ROOT\http\shell\open\ddeexec\Application "" HKEY_CLASSES_ROOT\http\shell\open\ddeexec\Topic "" HKEY_CLASSES_ROOT\https\shell\open\command "" HKEY_CLASSES_ROOT\https\shell\open\ddeexec "" HKEY_CLASSES_ROOT\https\shell\open\ddeexec "NoActivateHandler" HKEY_CLASSES_ROOT\https\shell\open\ddeexec\Application "" HKEY_CLASSES_ROOT\https\shell\open\ddeexec\Topic "" HKEY_CLASSES_ROOT\ftp\shell\open\command "" HKEY_CLASSES_ROOT\ftp\shell\open\ddeexec "" HKEY_CLASSES_ROOT\ftp\shell\open\ddeexec "NoActivateHandler" HKEY_CLASSES_ROOT\ftp\shell\open\ddeexec\Application "" HKEY_CLASSES_ROOT\ftp\shell\open\ddeexec\Topic "" HKEY_CLASSES_ROOT\ftp\shell\open\ddeexec\ifExec "" HKEY_CLASSES_ROOT\gopher\shell\open\command "" HKEY_CLASSES_ROOT\gopher\shell\open\ddeexec "" HKEY_CLASSES_ROOT\gopher\shell\open\ddeexec "NoActivateHandler" HKEY_CLASSES_ROOT\gopher\shell\open\ddeexec\Application "" HKEY_CLASSES_ROOT\gopher\shell\open\ddeexec\Topic "" HKEY_CLASSES_ROOT\htmlfile\shell "" HKEY_CLASSES_ROOT\htmlfile\shell\open "" HKEY_CLASSES_ROOT\htmlfile\shell\open\command "" HKEY_CLASSES_ROOT\htmlfile\shell\open\ddeexec "" HKEY_CLASSES_ROOT\htmlfile\shell\open\ddeexec "NoActivateHandler" HKEY_CLASSES_ROOT\htmlfile\shell\open\ddeexec\Application "" HKEY_CLASSES_ROOT\htmlfile\shell\open\ddeexec\Topic "" HKEY_CLASSES_ROOT\mhtmlfile\shell "" HKEY_CLASSES_ROOT\htmlfile\shell\opennew "" HKEY_CLASSES_ROOT\htmlfile\shell\opennew\command "" HKEY_CLASSES_ROOT\htmlfile\shell\opennew\ddeexec "" HKEY_CLASSES_ROOT\htmlfile\shell\opennew\ddeexec\IfExec "" HKEY_CLASSES_ROOT\htmlfile\shell\opennew\ddeexec "NoActivateHandler" HKEY_CLASSES_ROOT\htmlfile\shell\opennew\ddeexec\Application "" HKEY_CLASSES_ROOT\htmlfile\shell\opennew\ddeexec\Topic "" HKEY_CLASSES_ROOT\mhtmlfile\shell\open "" HKEY_CLASSES_ROOT\mhtmlfile\shell\open\command "" HKEY_CLASSES_ROOT\mhtmlfile\shell\open\ddeexec "" HKEY_CLASSES_ROOT\mhtmlfile\shell\open\ddeexec\Application "" HKEY_CLASSES_ROOT\mhtmlfile\shell\open\ddeexec\Topic "" HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew "" HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew\command "" HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew\ddeexec "" HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew\ddeexec\IfExec "" HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew\ddeexec "NoActivateHandler" HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew\ddeexec\Application "" HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew\ddeexec\Topic "" HKEY_CLASSES_ROOT\CLSID\{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} "" HKEY_CLASSES_ROOT\InternetShortcut\shell\open\command "" HKEY_CLASSES_ROOT\InternetShortcut\shell\open "CLSID" HKEY_CLASSES_ROOT\InternetShortcut\shell\open "LegacyDisable" HKEY_CLASSES_ROOT\InternetShortcut\shellex\ContextMenuHandlers\{FBF23B40-E3F0-101B-8488-00AA003E56F8} "" HKEY_CLASSES_ROOT\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8}\shellex\MayChangeDefaultMenu "" HKEY_CLASSES_ROOT\InternetShortcut\shellex\PropertyHandler "" HKEY_CLASSES_ROOT\Applications\iexplore.exe\shell\open\command "" HKEY_CLASSES_ROOT\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32 "" HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32 "" HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9ba05972-f6a8-11cf-a442-00a0c90a8f39}\InProcServer32 "" HKEY_CLASSES_ROOT "Interface\{85CB6900-4D95-11CF-960C-0080C7F4EE85}\ProxyStubClsid32" HKEY_CLASSES_ROOT "Interface\{85CB6900-4D95-11CF-960C-0080C7F4EE85}\Forward" HKEY_CLASSES_ROOT\Interface\{85CB6900-4D95-11CF-960C-0080C7F4EE85}\TypeLib "" HKEY_CLASSES_ROOT\Interface\{85CB6900-4D95-11CF-960C-0080C7F4EE85}\TypeLib "Version" HKEY_CLASSES_ROOT\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0\win32 "" HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 "win32" HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc "UDTAlignmentPolicy" HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "DefaultAuthLevel" HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04fb6bfc4}\InProcServer32 "" _HKEY(2200)_ "NumShape" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared\ "CUAS" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\ "EnableAnchorContext" HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF "Disable Thread Input Manager" HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 "COM+Enabled" HKEY_CLASSES_ROOT\TypeLib\{7E8BC440-AEFF-11D1-89C2-00C04FB6BFC4}\1.0\0 "win32" HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7b8a2d95-0ac9-11d1-896c-00c04fb6bfc4}\InProcServer32 "" HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ff393560-c2a7-11cf-bff4-444553540000}\InProcServer32 "" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/cdf "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/fractals "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/futuresplash "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/hta "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/mac-binhex40 "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/pkcs10 "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/pkcs7-mime "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/pkcs7-signature "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/pkix-cert "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/pkix-crl "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/postscript "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/set-payment-initiation "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/set-registration-initiation "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/vnd.ms-pki.certstore "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/vnd.ms-pki.pko "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/vnd.ms-pki.seccat "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/vnd.ms-pki.stl "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/vnd.ms-wpl "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-cdf "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-compress "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-compressed "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-gzip "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-internet-signup "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-iphone "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-latex "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-mix-transfer "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-mplayer2 "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-ms-wmd "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-ms-wmz "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-pkcs12 "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-pkcs7-certificates "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-pkcs7-certreqresp "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-shockwave-flash "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-stuffit "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-tar "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-troff-man "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-x509-ca-cert "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-zip-compressed "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/xml "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/aiff "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/basic "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mid "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/midi "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mp3 "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mpeg "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mpegurl "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mpg "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/wav "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-aiff "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-background "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mid "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-midi "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mp3 "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mpeg "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mpegurl "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mpg "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-ms-wax "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-ms-wma "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-wav "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\image/bmp "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\image/gif "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\image/jpeg "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\image/pjpeg "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\image/png "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\image/tiff "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\image/x-icon "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\image/x-jg "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\image/x-png "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\image/x-wmf "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\image/x-xbitmap "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\image/xbm "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\message/rfc822 "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\midi/mid "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\text/css "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\text/h323 "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\text/html "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\text/iuls "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\text/plain "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\text/scriptlet "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\text/webviewhtml "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\text/x-component "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\text/x-scriptlet "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\text/x-vcard "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\text/xml "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/avi "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/mpeg "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/mpg "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/msvideo "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-mpeg "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-mpeg2a "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-asf "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-asf-plugin "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wm "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wmv "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wmx "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wvx "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-msvideo "Image Filter CLSID" HKEY_CLASSES_ROOT\MIME\Database\Content Type\image/bmp\Bits "0" HKEY_CLASSES_ROOT\MIME\Database\Content Type\image/gif\Bits "0" HKEY_CLASSES_ROOT\MIME\Database\Content Type\image/jpeg\Bits "0" HKEY_CLASSES_ROOT\MIME\Database\Content Type\image/pjpeg\Bits "0" HKEY_CLASSES_ROOT\MIME\Database\Content Type\image/png\Bits "0" HKEY_CLASSES_ROOT\MIME\Database\Content Type\image/x-png\Bits "0" HKEY_CLASSES_ROOT\MIME\Database\Content Type\image/x-wmf\Bits "0" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "EnableExtensions" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DefaultColor" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "CompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "AutoRun" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "EnableExtensions" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DefaultColor" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "CompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "AutoRun" HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters "DNSLookupOrder" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters "Domain" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters "DhcpDomain" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters "SearchList" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters "DhcpSearchList" HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "DefaultAuthLevel" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess "Start" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "EnableExtensions" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DefaultColor" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "CompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "AutoRun" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "EnableExtensions" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DefaultColor" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "CompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "AutoRun" HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters "DNSLookupOrder" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters "Domain" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters "DhcpDomain" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters "SearchList" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters "DhcpSearchList" HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "DefaultAuthLevel" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess "Start" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "EnableExtensions" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DefaultColor" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "CompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "AutoRun" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "EnableExtensions" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DefaultColor" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "CompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "AutoRun" HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters "DNSLookupOrder" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters "Domain" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters "DhcpDomain" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters "SearchList" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters "DhcpSearchList" HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "DefaultAuthLevel" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess "Start" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "EnableExtensions" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DefaultColor" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "CompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "AutoRun" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "EnableExtensions" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DefaultColor" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "CompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "AutoRun" HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters "DNSLookupOrder" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters "Domain" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters "DhcpDomain" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters "SearchList" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters "DhcpSearchList" HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "DefaultAuthLevel" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess "Start" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "EnableExtensions" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DefaultColor" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "CompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "AutoRun" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "EnableExtensions" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DefaultColor" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "CompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "AutoRun" HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters "DNSLookupOrder" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters "Domain" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters "DhcpDomain" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters "SearchList" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters "DhcpSearchList" HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "DefaultAuthLevel" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess "Start" |
| Enums | HKEY_CLASSES_ROOT\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B} HKEY_CLASSES_ROOT\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1 HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP HKEY_CLASSES_ROOT\MIME\Database\Content Type |
| Network Activity | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Connections |
Outgoing connection to remote server: 216.239.51.99 TCP port 80
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 Technical Details
|
||||||||||||
| Analysis Number | 1 | |||||||||||
| Parent ID | 0 | |||||||||||
| Process ID | 1032 | |||||||||||
| Filename | C:\msg6475.exe | |||||||||||
| Filesize | 169826 bytes | |||||||||||
| MD5 | 458010f6b2eee3e5dd18fc9d5713bf83 | |||||||||||
| Start Reason | AnalysisTarget | |||||||||||
| Termination Reason | NormalTermination | |||||||||||
| Start Time | 00:00.094 | |||||||||||
| Stop Time | 00:03.219 | |||||||||||
| COM |
COM Create Instance: %SystemRoot%\system32\browseui.dll, ProgID: (), Interface ID: ({00000000-0000-0000-C000-000000000046}) COM Get Class Object: C:\WINDOWS\system32\urlmon.dll, Interface ID: ({00000001-0000-0000-C000-000000000046}) |
|||||||||||
| DLL-Handling |
|
|||||||||||
| Filesystem |
|
|||||||||||
| INI Files |
|
|||||||||||
| Registry |
|
|||||||||||
| Process Management |
Creates Process - Filename (C:\WINDOWS\system32\shockwave.exe) CommandLine: () As User: () Creation Flags: () Kill Process - Filename () CommandLine: () Target PID: (1032) As User: () Creation Flags: () |
|||||||||||
| System Info |
Get System Directory |
|||||||||||
| Window |
Find Window - Class Name (EDIT) Window Name () Destroy Window - Class Name (Edit) Window Name () Destroy Window - Class Name (ComboLBox) Window Name () |
|||||||||||
| The following process was started by process: 1 | ||||||||||||
| Analysis Number | 2 | |||||||||||
| Parent ID | 1 | |||||||||||
| Process ID | 1008 | |||||||||||
| Filename | C:\WINDOWS\system32\shockwave.exe | |||||||||||
| Filesize | 150566 bytes | |||||||||||
| MD5 | b997ed86ebf7c06f3c30c77f59cce057 | |||||||||||
| Start Reason | CreateProcess | |||||||||||
| Termination Reason | Timeout | |||||||||||
| Start Time | 00:02.719 | |||||||||||
| Stop Time | 01:01.515 | |||||||||||
| DLL-Handling |
|
|||||||||||
| Filesystem |
|
|||||||||||
| Registry |
|
|||||||||||
| Process Management |
Creates Process - Filename () CommandLine: (cmd.exe /c C:\DOCUME~1\Sandbox\LOCALS~1\Temp\bt6378.bat) As User: () Creation Flags: () |
|||||||||||
| The following process was started by process: 2 | ||||||||||||
| Analysis Number | 3 | |||||||||||
| Parent ID | 2 | |||||||||||
| Process ID | 1804 | |||||||||||
| Filename | cmd.exe /c C:\DOCUME~1\Sandbox\LOCALS~1\Temp\bt6378.bat | |||||||||||
| Filesize | 388608 bytes | |||||||||||
| MD5 | eeb024f2c81f0d55936fb825d21a91d6 | |||||||||||
| Start Reason | CreateProcess | |||||||||||
| Termination Reason | Timeout | |||||||||||
| Start Time | 00:03.750 | |||||||||||
| Stop Time | 01:01.515 | |||||||||||
| COM |
COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({000214E6-0000-0000-C000-000000000046}) COM Get Class Object: C:\WINDOWS\system32\urlmon.dll, Interface ID: ({00000001-0000-0000-C000-000000000046}) |
|||||||||||
| DLL-Handling |
|
|||||||||||
| Filesystem |
|
|||||||||||
| Registry |
|
|||||||||||
| Process Management |
Creates Process - Filename (C:\WINDOWS\system32\cmd.exe) CommandLine: (C:\WINDOWS\system32\cmd.exe /S /D /c" ver") As User: () Creation Flags: () Creates Process - Filename (C:\WINDOWS\system32\find.exe) CommandLine: (find "Windows 98") As User: () Creation Flags: () Creates Process - Filename (C:\WINDOWS\system32\reg.exe) CommandLine: (reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v ShockwavePlugin /t REG_SZ /d "C:\WINDOWS\system32\shockwave.exe" ) As User: () Creation Flags: () Creates Process - Filename (iexplore.exe) CommandLine: ( "http://mt-google.no-ip.biz/google/") As User: () Creation Flags: () Creates Process - Filename (C:\WINDOWS\system32\cmd.exe) CommandLine: (C:\WINDOWS\system32\cmd.exe /c nslookup mt-cef.no-ip.org mt-cef.no-ip.org | find "Address") As User: () Creation Flags: () Creates Process - Filename (C:\WINDOWS\system32\cmd.exe) CommandLine: (C:\WINDOWS\system32\cmd.exe /c nslookup mt-bb.no-ip.org mt-bb.no-ip.org | find "Address") As User: () Creation Flags: () Creates Process - Filename (C:\WINDOWS\system32\cmd.exe) CommandLine: (C:\WINDOWS\system32\cmd.exe /c nslookup mt-bra.no-ip.org mt-bra.no-ip.org | find "Address") As User: () Creation Flags: () Creates Process - Filename (C:\WINDOWS\system32\cmd.exe) CommandLine: (C:\WINDOWS\system32\cmd.exe /c nslookup mt-ita.no-ip.biz mt-ita.no-ip.biz | find "Address") As User: () Creation Flags: () Creates Process - Filename (C:\WINDOWS\system32\cmd.exe) CommandLine: (C:\WINDOWS\system32\cmd.exe /c nslookup mt-ncx.no-ip.biz mt-ncx.no-ip.biz | find "Address") As User: () Creation Flags: () |
|||||||||||
| System Info |
Get System Directory |
|||||||||||
| The following process was started by process: 3 | ||||||||||||
| Analysis Number | 4 | |||||||||||
| Parent ID | 3 | |||||||||||
| Process ID | 1692 | |||||||||||
| Filename | C:\WINDOWS\system32\cmd.exe /S /D /c ver | |||||||||||
| Filesize | 388608 bytes | |||||||||||
| MD5 | eeb024f2c81f0d55936fb825d21a91d6 | |||||||||||
| Start Reason | CreateProcess | |||||||||||
| Termination Reason | NormalTermination | |||||||||||
| Start Time | 00:04.828 | |||||||||||
| Stop Time | 00:07.140 | |||||||||||
| DLL-Handling |
|
|||||||||||
| Filesystem |
|
|||||||||||
| Registry |
|
|||||||||||
| Process Management |
Kill Process - Filename () CommandLine: () Target PID: (1692) As User: () Creation Flags: () |
|||||||||||
| The following process was started by process: 3 | ||||||||||||
| Analysis Number | 5 | |||||||||||
| Parent ID | 3 | |||||||||||
| Process ID | 1892 | |||||||||||
| Filename | C:\WINDOWS\system32\find.exe find Windows 98 | |||||||||||
| Filesize | 9216 bytes | |||||||||||
| MD5 | 09b4e22c86f7e9f1e5c7554ac03b9c9d | |||||||||||
| Start Reason | CreateProcess | |||||||||||
| Termination Reason | NormalTermination | |||||||||||
| Start Time | 00:05.015 | |||||||||||
| Stop Time | 00:07.312 | |||||||||||
| DLL-Handling |
|
|||||||||||
| Process Management |
Kill Process - Filename () CommandLine: () Target PID: (1892) As User: () Creation Flags: () |
|||||||||||
| The following process was started by process: 3 | ||||||||||||
| Analysis Number | 6 | |||||||||||
| Parent ID | 3 | |||||||||||
| Process ID | 196 | |||||||||||
| Filename | C:\WINDOWS\system32\reg.exe reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v ShockwavePlugin /t REG_SZ /d C:\WINDOWS\system32\shockwave.exe | |||||||||||
| Filesize | 50176 bytes | |||||||||||
| MD5 | 3f1df5d22c775b5e5de561755fa9ab55 | |||||||||||
| Start Reason | CreateProcess | |||||||||||
| Termination Reason | NormalTermination | |||||||||||
| Start Time | 00:07.375 | |||||||||||
| Stop Time | 00:08.484 | |||||||||||
| DLL-Handling |
|
|||||||||||
| Registry |
|
|||||||||||
| Process Management |
Kill Process - Filename () CommandLine: () Target PID: (196) As User: () Creation Flags: () |
|||||||||||
| The following process was started by process: 3 | ||||||||||||
| Analysis Number | 7 | |||||||||||
| Parent ID | 3 | |||||||||||
| Process ID | 212 | |||||||||||
| Filename | C:\Program Files\Internet Explorer\iexplore.exe http://mt-google.no-ip.biz/google/ | |||||||||||
| Filesize | 93184 bytes | |||||||||||
| MD5 | e7484514c0464642be7b4dc2689354c8 | |||||||||||
| Start Reason | CreateProcess | |||||||||||
| Termination Reason | Timeout | |||||||||||
| Start Time | 00:10.156 | |||||||||||
| Stop Time | 01:01.531 | |||||||||||
| COM |
COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({00000000-0000-0000-C000-000000000046}) COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({47851649-A2EF-4E67-BAEC-C6A153AC72EC}) COM Create Instance: %SystemRoot%\system32\SHELL32.dll, ProgID: (), Interface ID: ({EE1F7637-E138-11D1-8379-00C04FD918D0}) COM Create Instance: %SystemRoot%\system32\browseui.dll, ProgID: (), Interface ID: ({EB0FE172-1A3A-11D0-89B3-00A0C90A90AC}) COM Create Instance: %SystemRoot%\System32\cscui.dll, ProgID: (), Interface ID: ({0C6C4200-C589-11D0-999A-00C04FD655E1}) COM Create Instance: %SystemRoot%\system32\SHELL32.dll, ProgID: (), Interface ID: ({EB0FE172-1A3A-11D0-89B3-00A0C90A90AC}) COM Create Instance: C:\WINDOWS\system32\urlmon.dll, ProgID: (), Interface ID: ({79EAC9EF-BAF9-11CE-8C82-00AA004BA90B}) COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({000214E6-0000-0000-C000-000000000046}) COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({85CB6900-4D95-11CF-960C-0080C7F4EE85}) COM Create Instance: , ProgID: (), Interface ID: ({00000149-0000-0000-C000-000000000046}) COM Create Instance: C:\WINDOWS\system32\urlmon.dll, ProgID: (), Interface ID: ({79EAC9EE-BAF9-11CE-8C82-00AA004BA90B}) COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({A5ACA655-7FB8-43DC-A433-8D87B69C70A0}) COM Create Instance: C:\WINDOWS\system32\msimtf.dll, ProgID: (), Interface ID: ({08C0E040-62D1-11D1-9326-0060B067B86E}) COM Create Instance: C:\WINDOWS\system32\jscript.dll, ProgID: (JScript), Interface ID: ({BB1A2AE1-A4F9-11CF-8F20-00805F2CD064}) COM Create Instance: , ProgID: (), Interface ID: ({00000146-0000-0000-C000-000000000046}) COM Create Instance: , ProgID: (), Interface ID: ({6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8}) COM Create Instance: C:\WINDOWS\system32\iepeers.dll, ProgID: (PeerFactory.PeerFactory.1), Interface ID: ({3050F429-98B5-11CF-BB82-00AA00BDCE0B}) COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({062E1261-A60E-11D0-82C2-00C04FD5AE38}) COM Create Instance: C:\WINDOWS\system32\mshtmled.dll, ProgID: (Trident.HTMLEditor.1), Interface ID: ({3050F7FA-98B5-11CF-BB82-00AA00BDCE0B}) COM Create Instance: %SystemRoot%\system32\imgutil.dll, ProgID: (ImgUtil.CoMapMIMEToCLSID.1), Interface ID: ({D9E89500-30FA-11D0-B724-00AA006C1A01}) COM Create Instance: %SystemRoot%\system32\imgutil.dll, ProgID: (ImgUtil.CoSniffStream.1), Interface ID: ({4EF17940-30E0-11D0-B724-00AA006C1A01}) COM Create Instance: %SystemRoot%\system32\pngfilt.dll, ProgID: (PNGFilter.CoPNGFilter.1), Interface ID: ({A3CCEDF3-2DE2-11D0-86F4-00A0C913F750}) COM Get Class Object: %SystemRoot%\system32\shdocvw.dll, Interface ID: ({00000001-0000-0000-C000-000000000046}) COM Get Class Object: oleaut32.dll, Interface ID: ({D5F569D0-593B-101A-B569-08002B2DBF7A}) COM Get Class Object: %SystemRoot%\system32\mshtml.dll, Interface ID: ({00000001-0000-0000-C000-000000000046}) COM Get Class Object: C:\WINDOWS\system32\urlmon.dll, Interface ID: ({00000001-0000-0000-C000-000000000046}) |
|||||||||||
| DLL-Handling |
|
|||||||||||
| Filesystem |
|
|||||||||||
| INI Files |
|
|||||||||||
| Mutexes |
Creates Mutex: Shell.CMruPidlList Creates Mutex: RasPbFile Creates Mutex: CTF.LBES.MutexDefaultS-1-5-21-2626759393-224621903-1653462319-1004 Creates Mutex: CTF.Compart.MutexDefaultS-1-5-21-2626759393-224621903-1653462319-1004 Creates Mutex: CTF.Asm.MutexDefaultS-1-5-21-2626759393-224621903-1653462319-1004 Creates Mutex: CTF.Layouts.MutexDefaultS-1-5-21-2626759393-224621903-1653462319-1004 Creates Mutex: CTF.TMD.MutexDefaultS-1-5-21-2626759393-224621903-1653462319-1004 Creates Mutex: _!SHMSFTHISTORY!_ Creates Mutex: MSIMGSIZECacheMutex Opens Mutex: WininetStartupMutex Opens Mutex: _!SHMSFTHISTORY!_ |
|||||||||||
| Registry |
|
|||||||||||
| Process Management |
Open Process - Filename (C:\WINDOWS\Explorer.EXE) Target PID: (1440) |
|||||||||||
| Service Management |
Open Service Manager - Name: "SCM" |
|||||||||||
| System Info |
Get System Directory Get Computer Name Get System Time |
|||||||||||
| User Management |
Impersonate User - Domain: () User: (Sandbox) Get User Name |
|||||||||||
| Window |
Find Window - Class Name (Shell_TrayWnd) Window Name () Find Window - Class Name (MS_AutodialMonitor) Window Name () Find Window - Class Name (MS_WebcheckMonitor) Window Name () Enum Windows |
|||||||||||
| Network Activity |
Outgoing connection to remote server: 216.239.51.99 TCP port 80 |
|||||||||||
| The following process was started by process: 3 | ||||||||||||
| Analysis Number | 8 | |||||||||||
| Parent ID | 3 | |||||||||||
| Process ID | 716 | |||||||||||
| Filename | C:\WINDOWS\system32\cmd.exe /c nslookup mt-cef.no-ip.org mt-cef.no-ip.org | find Address | |||||||||||
| Filesize | 388608 bytes | |||||||||||
| MD5 | eeb024f2c81f0d55936fb825d21a91d6 | |||||||||||
| Start Reason | CreateProcess | |||||||||||
| Termination Reason | NormalTermination | |||||||||||
| Start Time | 00:10.297 | |||||||||||
| Stop Time | 00:23.281 | |||||||||||
| DLL-Handling |
|
|||||||||||
| Filesystem |
|
|||||||||||
| Registry |
|
|||||||||||
| Process Management |
Creates Process - Filename (C:\WINDOWS\system32\nslookup.exe) CommandLine: (nslookup mt-cef.no-ip.org mt-cef.no-ip.org ) As User: () Creation Flags: () Creates Process - Filename (C:\WINDOWS\system32\find.exe) CommandLine: (find "Address") As User: () Creation Flags: () Kill Process - Filename () CommandLine: () Target PID: (716) As User: () Creation Flags: () |
|||||||||||
| The following process was started by process: 8 | ||||||||||||
| Analysis Number | 9 | |||||||||||
| Parent ID | 8 | |||||||||||
| Process ID | 448 | |||||||||||
| Filename | C:\WINDOWS\system32\nslookup.exe nslookup mt-cef.no-ip.org mt-cef.no-ip.org | |||||||||||
| Filesize | 76800 bytes | |||||||||||
| MD5 | ce3e0b8c9fb00ae2b214b1c951c4326f | |||||||||||
| Start Reason | CreateProcess | |||||||||||
| Termination Reason | NormalTermination | |||||||||||
| Start Time | 00:12.453 | |||||||||||
| Stop Time | 00:22.140 | |||||||||||
| DLL-Handling |
|
|||||||||||
| Filesystem |
|
|||||||||||
| Registry |
|
|||||||||||
| Process Management |
Kill Process - Filename () CommandLine: () Target PID: (448) As User: () Creation Flags: () |
|||||||||||
| Network Activity |
|
|||||||||||
| The following process was started by process: 8 | ||||||||||||
| Analysis Number | 10 | |||||||||||
| Parent ID | 8 | |||||||||||
| Process ID | 464 | |||||||||||
| Filename | C:\WINDOWS\system32\find.exe find Address | |||||||||||
| Filesize | 9216 bytes | |||||||||||
| MD5 | 09b4e22c86f7e9f1e5c7554ac03b9c9d | |||||||||||
| Start Reason | CreateProcess | |||||||||||
| Termination Reason | NormalTermination | |||||||||||
| Start Time | 00:12.515 | |||||||||||
| Stop Time | 00:22.844 | |||||||||||
| DLL-Handling |
|
|||||||||||
| Process Management |
Kill Process - Filename () CommandLine: () Target PID: (464) As User: () Creation Flags: () |
|||||||||||
| Analysis Number | 11 | |||||||||||
| Parent ID | 0 | |||||||||||
| Process ID | 712 | |||||||||||
| Filename | ||||||||||||
| Filesize | -1 bytes | |||||||||||
| MD5 | ||||||||||||
| Start Reason | SCM | |||||||||||
| Termination Reason | Unknown | |||||||||||
| Start Time | 00:18.172 | |||||||||||
| Stop Time | 00:00.000 | |||||||||||
| Analysis Number | 12 | |||||||||||
| Parent ID | 0 | |||||||||||
| Process ID | 712 | |||||||||||
| Filename | ||||||||||||
| Filesize | -1 bytes | |||||||||||
| MD5 | ||||||||||||
| Start Reason | SCM | |||||||||||
| Termination Reason | Unknown | |||||||||||
| Start Time | 00:18.265 | |||||||||||
| Stop Time | 00:00.000 | |||||||||||
| Analysis Number | 13 | |||||||||||
| Parent ID | 0 | |||||||||||
| Process ID | 712 | |||||||||||
| Filename | ||||||||||||
| Filesize | -1 bytes | |||||||||||
| MD5 | ||||||||||||
| Start Reason | SCM | |||||||||||
| Termination Reason | Unknown | |||||||||||
| Start Time | 00:20.031 | |||||||||||
| Stop Time | 00:00.000 | |||||||||||
| The following process was started by process: 3 | ||||||||||||
| Analysis Number | 14 | |||||||||||
| Parent ID | 3 | |||||||||||
| Process ID | 592 | |||||||||||
| Filename | C:\WINDOWS\system32\cmd.exe /c nslookup mt-bb.no-ip.org mt-bb.no-ip.org | find Address | |||||||||||
| Filesize | 388608 bytes | |||||||||||
| MD5 | eeb024f2c81f0d55936fb825d21a91d6 | |||||||||||
| Start Reason | CreateProcess | |||||||||||
| Termination Reason | NormalTermination | |||||||||||
| Start Time | 00:23.312 | |||||||||||
| Stop Time | 00:28.250 | |||||||||||
| DLL-Handling |
|
|||||||||||
| Filesystem |
|
|||||||||||
| Registry |
|
|||||||||||
| Process Management |
Creates Process - Filename (C:\WINDOWS\system32\nslookup.exe) CommandLine: (nslookup mt-bb.no-ip.org mt-bb.no-ip.org ) As User: () Creation Flags: () Creates Process - Filename (C:\WINDOWS\system32\find.exe) CommandLine: (find "Address") As User: () Creation Flags: () Kill Process - Filename () CommandLine: () Target PID: (592) As User: () Creation Flags: () |
|||||||||||
| Analysis Number | 15 | |||||||||||
| Parent ID | 0 | |||||||||||
| Process ID | 712 | |||||||||||
| Filename | ||||||||||||
| Filesize | -1 bytes | |||||||||||
| MD5 | ||||||||||||
| Start Reason | SCM | |||||||||||
| Termination Reason | Unknown | |||||||||||
| Start Time | 00:23.734 | |||||||||||
| Stop Time | 00:00.000 | |||||||||||
| The following process was started by process: 14 | ||||||||||||
| Analysis Number | 16 | |||||||||||
| Parent ID | 14 | |||||||||||
| Process ID | 632 | |||||||||||
| Filename | C:\WINDOWS\system32\nslookup.exe nslookup mt-bb.no-ip.org mt-bb.no-ip.org | |||||||||||
| Filesize | 76800 bytes | |||||||||||
| MD5 | ce3e0b8c9fb00ae2b214b1c951c4326f | |||||||||||
| Start Reason | CreateProcess | |||||||||||
| Termination Reason | NormalTermination | |||||||||||
| Start Time | 00:25.297 | |||||||||||
| Stop Time | 00:27.890 | |||||||||||
| DLL-Handling |
|
|||||||||||
| Filesystem |
|
|||||||||||
| Registry |
|
|||||||||||
| Process Management |
Kill Process - Filename () CommandLine: () Target PID: (632) As User: () Creation Flags: () |
|||||||||||
| Network Activity |
|
|||||||||||
| The following process was started by process: 14 | ||||||||||||
| Analysis Number | 17 | |||||||||||
| Parent ID | 14 | |||||||||||
| Process ID | 624 | |||||||||||
| Filename | C:\WINDOWS\system32\find.exe find Address | |||||||||||
| Filesize | 9216 bytes | |||||||||||
| MD5 | 09b4e22c86f7e9f1e5c7554ac03b9c9d | |||||||||||
| Start Reason | CreateProcess | |||||||||||
| Termination Reason | NormalTermination | |||||||||||
| Start Time | 00:25.422 | |||||||||||
| Stop Time | 00:28.078 | |||||||||||
| DLL-Handling |
|
|||||||||||
| Process Management |
Kill Process - Filename () CommandLine: () Target PID: (624) As User: () Creation Flags: () |
|||||||||||
| The following process was started by process: 3 | ||||||||||||
| Analysis Number | 18 | |||||||||||
| Parent ID | 3 | |||||||||||
| Process ID | 844 | |||||||||||
| Filename | C:\WINDOWS\system32\cmd.exe /c nslookup mt-bra.no-ip.org mt-bra.no-ip.org | find Address | |||||||||||
| Filesize | 388608 bytes | |||||||||||
| MD5 | eeb024f2c81f0d55936fb825d21a91d6 | |||||||||||
| Start Reason | CreateProcess | |||||||||||
| Termination Reason | NormalTermination | |||||||||||
| Start Time | 00:28.281 | |||||||||||
| Stop Time | 00:31.937 | |||||||||||
| DLL-Handling |
|
|||||||||||
| Filesystem |
|
|||||||||||
| Registry |
|
|||||||||||
| Process Management |
Creates Process - Filename (C:\WINDOWS\system32\nslookup.exe) CommandLine: (nslookup mt-bra.no-ip.org mt-bra.no-ip.org ) As User: () Creation Flags: () Creates Process - Filename (C:\WINDOWS\system32\find.exe) CommandLine: (find "Address") As User: () Creation Flags: () Kill Process - Filename () CommandLine: () Target PID: (844) As User: () Creation Flags: () |
|||||||||||
| The following process was started by process: 18 | ||||||||||||
| Analysis Number | 19 | |||||||||||
| Parent ID | 18 | |||||||||||
| Process ID | 800 | |||||||||||
| Filename | C:\WINDOWS\system32\nslookup.exe nslookup mt-bra.no-ip.org mt-bra.no-ip.org | |||||||||||
| Filesize | 76800 bytes | |||||||||||
| MD5 | ce3e0b8c9fb00ae2b214b1c951c4326f | |||||||||||
| Start Reason | CreateProcess | |||||||||||
| Termination Reason | NormalTermination | |||||||||||
| Start Time | 00:29.015 | |||||||||||
| Stop Time | 00:31.578 | |||||||||||
| DLL-Handling |
|
|||||||||||
| Filesystem |
|
|||||||||||
| Registry |
|
|||||||||||
| Process Management |
Kill Process - Filename () CommandLine: () Target PID: (800) As User: () Creation Flags: () |
|||||||||||
| Network Activity |
|
|||||||||||
| The following process was started by process: 18 | ||||||||||||
| Analysis Number | 20 | |||||||||||
| Parent ID | 18 | |||||||||||
| Process ID | 956 | |||||||||||
| Filename | C:\WINDOWS\system32\find.exe find Address | |||||||||||
| Filesize | 9216 bytes | |||||||||||
| MD5 | 09b4e22c86f7e9f1e5c7554ac03b9c9d | |||||||||||
| Start Reason | CreateProcess | |||||||||||
| Termination Reason | NormalTermination | |||||||||||
| Start Time | 00:29.109 | |||||||||||
| Stop Time | 00:31.750 | |||||||||||
| DLL-Handling |
|
|||||||||||
| Process Management |
Kill Process - Filename () CommandLine: () Target PID: (956) As User: () Creation Flags: () |
|||||||||||
| The following process was started by process: 3 | ||||||||||||
| Analysis Number | 21 | |||||||||||
| Parent ID | 3 | |||||||||||
| Process ID | 1088 | |||||||||||
| Filename | C:\WINDOWS\system32\cmd.exe /c nslookup mt-ita.no-ip.biz mt-ita.no-ip.biz | find Address | |||||||||||
| Filesize | 388608 bytes | |||||||||||
| MD5 | eeb024f2c81f0d55936fb825d21a91d6 | |||||||||||
| Start Reason | CreateProcess | |||||||||||
| Termination Reason | NormalTermination | |||||||||||
| Start Time | 00:31.953 | |||||||||||
| Stop Time | 00:35.578 | |||||||||||
| DLL-Handling |
|
|||||||||||
| Filesystem |
|
|||||||||||
| Registry |
|
|||||||||||
| Process Management |
Creates Process - Filename (C:\WINDOWS\system32\nslookup.exe) CommandLine: (nslookup mt-ita.no-ip.biz mt-ita.no-ip.biz ) As User: () Creation Flags: () Creates Process - Filename (C:\WINDOWS\system32\find.exe) CommandLine: (find "Address") As User: () Creation Flags: () Kill Process - Filename () CommandLine: () Target PID: (1088) As User: () Creation Flags: () |
|||||||||||
| The following process was started by process: 21 | ||||||||||||
| Analysis Number | 22 | |||||||||||
| Parent ID | 21 | |||||||||||
| Process ID | 1104 | |||||||||||
| Filename | C:\WINDOWS\system32\nslookup.exe nslookup mt-ita.no-ip.biz mt-ita.no-ip.biz | |||||||||||
| Filesize | 76800 bytes | |||||||||||
| MD5 | ce3e0b8c9fb00ae2b214b1c951c4326f | |||||||||||
| Start Reason | CreateProcess | |||||||||||
| Termination Reason | NormalTermination | |||||||||||
| Start Time | 00:32.687 | |||||||||||
| Stop Time | 00:35.234 | |||||||||||
| DLL-Handling |
|
|||||||||||
| Filesystem |
|
|||||||||||
| Registry |
|
|||||||||||
| Process Management |
Kill Process - Filename () CommandLine: () Target PID: (1104) As User: () Creation Flags: () |
|||||||||||
| Network Activity |
|
|||||||||||
| The following process was started by process: 21 | ||||||||||||
| Analysis Number | 23 | |||||||||||
| Parent ID | 21 | |||||||||||
| Process ID | 1168 | |||||||||||
| Filename | C:\WINDOWS\system32\find.exe find Address | |||||||||||
| Filesize | 9216 bytes | |||||||||||
| MD5 | 09b4e22c86f7e9f1e5c7554ac03b9c9d | |||||||||||
| Start Reason | CreateProcess | |||||||||||
| Termination Reason | NormalTermination | |||||||||||
| Start Time | 00:32.781 | |||||||||||
| Stop Time | 00:35.406 | |||||||||||
| DLL-Handling |
|
|||||||||||
| Process Management |
Kill Process - Filename () CommandLine: () Target PID: (1168) As User: () Creation Flags: () |
|||||||||||
| The following process was started by process: 3 | ||||||||||||
| Analysis Number | 24 | |||||||||||
| Parent ID | 3 | |||||||||||
| Process ID | 1420 | |||||||||||
| Filename | C:\WINDOWS\system32\cmd.exe /c nslookup mt-ncx.no-ip.biz mt-ncx.no-ip.biz | find Address | |||||||||||
| Filesize | 388608 bytes | |||||||||||
| MD5 | eeb024f2c81f0d55936fb825d21a91d6 | |||||||||||
| Start Reason | CreateProcess | |||||||||||
| Termination Reason | NormalTermination | |||||||||||
| Start Time | 00:35.609 | |||||||||||
| Stop Time | 00:39.250 | |||||||||||
| DLL-Handling |
|
|||||||||||
| Filesystem |
|
|||||||||||
| Registry |
|
|||||||||||
| Process Management |
Creates Process - Filename (C:\WINDOWS\system32\nslookup.exe) CommandLine: (nslookup mt-ncx.no-ip.biz mt-ncx.no-ip.biz ) As User: () Creation Flags: () Creates Process - Filename (C:\WINDOWS\system32\find.exe) CommandLine: (find "Address") As User: () Creation Flags: () Kill Process - Filename () CommandLine: () Target PID: (1420) As User: () Creation Flags: () |
|||||||||||
| The following process was started by process: 24 | ||||||||||||
| Analysis Number | 25 | |||||||||||
| Parent ID | 24 | |||||||||||
| Process ID | 1296 | |||||||||||
| Filename | C:\WINDOWS\system32\nslookup.exe nslookup mt-ncx.no-ip.biz mt-ncx.no-ip.biz | |||||||||||
| Filesize | 76800 bytes | |||||||||||
| MD5 | ce3e0b8c9fb00ae2b214b1c951c4326f | |||||||||||
| Start Reason | CreateProcess | |||||||||||
| Termination Reason | NormalTermination | |||||||||||
| Start Time | 00:36.344 | |||||||||||
| Stop Time | 00:38.890 | |||||||||||
| DLL-Handling |
|
|||||||||||
| Filesystem |
|
|||||||||||
| Registry |
|
|||||||||||
| Process Management |
Kill Process - Filename () CommandLine: () Target PID: (1296) As User: () Creation Flags: () |
|||||||||||
| Network Activity |
|
|||||||||||
| The following process was started by process: 24 | ||||||||||||
| Analysis Number | 26 | |||||||||||
| Parent ID | 24 | |||||||||||
| Process ID | 1324 | |||||||||||
| Filename | C:\WINDOWS\system32\find.exe find Address | |||||||||||
| Filesize | 9216 bytes | |||||||||||
| MD5 | 09b4e22c86f7e9f1e5c7554ac03b9c9d | |||||||||||
| Start Reason | CreateProcess | |||||||||||
| Termination Reason | NormalTermination | |||||||||||
| Start Time | 00:36.437 | |||||||||||
| Stop Time | 00:39.078 | |||||||||||
| DLL-Handling |
|
|||||||||||
| Process Management |
Kill Process - Filename () CommandLine: () Target PID: (1324) As User: () Creation Flags: () |
|||||||||||