Download Link: hxxp://208.101.56.102/synctl/upd/s01.exe File Name: s01.exe File size: 31250 bytes MD5: 96149110dbe7bb70a699869eb0d81255 SHA1: 7dcf63143a836b1b7334b9e5d74cbaebd76799d6 PEiD: - Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=96149110dbe7bb70a699869eb0d81255 Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=FFF8289712FAD9677AD800C15BB1CF0089E7A560 VirusTotal Result: 18/32 (56.25%) AhnLab-V3: Win-Trojan/Tibs.31250 AntiVir: WORM/Zhelatin.Gen Avast: Win32:Trojan-gen {Other} AVG: Crypt.HC BitDefender: Trojan.Tibs.MW.Dam CAT-QuickHeal: Worm.Zhelatin.gen eSafe: Suspicious File Ewido: Trojan.Agent FileAdvisor: High threat detected Ikarus: Trojan.Tibs.MW.Dam McAfee: New Poly Win32 Microsoft: Trojan:Win32/Tibs.EW NOD32v2: probably a variant of Win32/Agent Norman: W32/Tibs.BDXM Prevx1: Trojan.Nudos Sophos: Troj/Agent-GHV Symantec: Trojan Horse Webwasher-Gateway: Worm.Zhelatin.Gen Analysis Report: http://malwareinfo.freeforums.org/208-101-56-102-synctl-upd-s01-exe-t13.html File Info: PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0001 Time/Date stamp: 46F18069 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 010F Magic: 010B Linker version (major): 06 Linker version (minor): 00 Size of code: 0000B200 Size of initialized data: 00000000 Size of uninitialized data: 00000000 Address of entry point: 00003ED3 Base of code: 00001000 Base of data: 0000D000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 0000E000 Size of headers: 00000400 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags .text 0000D000 00001000 00007612 00000400 E0000000 Import table (libraries: 2) kernel32.dll (imports: 4) IsBadHugeReadPtr IsBadStringPtrW LeaveCriticalSection LoadResource gdi32.dll (imports: 4) RectInRegion RestoreDC SelectFontLocal SetAbortProc Load Time DLL: Module Name Base Address Size C:\WINDOWS\system32\ntdll.dll 0x7C900000 0x000B0000 C:\WINDOWS\system32\kernel32.dll 0x7C800000 0x000F5000 C:\WINDOWS\system32\gdi32.dll 0x77F10000 0x00047000 C:\WINDOWS\system32\USER32.dll 0x7E410000 0x00090000 C:\WINDOWS\system32\IMM32.DLL 0x76390000 0x0001D000 C:\WINDOWS\system32\ADVAPI32.dll 0x77DD0000 0x0009B000 C:\WINDOWS\system32\RPCRT4.dll 0x77E70000 0x00092000 C:\WINDOWS\system32\Secur32.dll 0x77FE0000 0x00011000 Run Time DLL: Module Name Base Address Size C:\WINDOWS\system32\NETAPI32.dll 0x5B860000 0x00054000 C:\WINDOWS\system32\comctl32.dll 0x5D090000 0x0009A000 C:\WINDOWS\system32\faultrep.dll 0x69450000 0x00016000 C:\WINDOWS\system32\WINSTA.dll 0x76360000 0x00010000 C:\WINDOWS\system32\USERENV.dll 0x769C0000 0x000B3000 C:\WINDOWS\system32\WTSAPI32.dll 0x76F50000 0x00008000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll 0x773D0000 0x00103000 C:\WINDOWS\system32\SETUPAPI.dll 0x77920000 0x000F3000 C:\WINDOWS\system32\apphelp.dll 0x77B40000 0x00022000 C:\WINDOWS\system32\VERSION.dll 0x77C00000 0x00008000 C:\WINDOWS\system32\msvcrt.dll 0x77C10000 0x00058000 C:\WINDOWS\system32\SHLWAPI.dll 0x77F60000 0x00076000 C:\WINDOWS\system32\shell32.dll 0x7C9C0000 0x00815000 Registry Reads: Key Name Value Times HKLM\Software\Microsoft\PCHealth\ErrorReporting AllOrNone 1 1 HKLM\Software\Microsoft\PCHealth\ErrorReporting DoReport 1 1 HKLM\Software\Microsoft\PCHealth\ErrorReporting IncludeKernelFaults 1 1 HKLM\Software\Microsoft\PCHealth\ErrorReporting IncludeMicrosoftApps 1 1 HKLM\Software\Microsoft\PCHealth\ErrorReporting IncludeWindowsApps 1 1 HKLM\Software\Microsoft\PCHealth\ErrorReporting ShowUI 1 1 HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug Auto 1 1 HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug Debugger drwtsn32 -p %ld -e %ld -g 1 HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ComputerName USER 1 HKLM\System\Setup SystemSetupInProgress 0 1 Files Created: C:\DOCUME~1\user\LOCALS~1\Temp\5f86_appcompat.txt Files Read: C:\WINDOWS\system32\winsock.dll PIPE\lsarpc Files Changed: C:\DOCUME~1\user\LOCALS~1\Temp\5f86_appcompat.txt PIPE\lsarpc Memory Mapped Files: File Name C:\WINDOWS\system32\advapi32.dll C:\WINDOWS\system32\gdi32.dll C:\WINDOWS\system32\kernel32.dll C:\WINDOWS\system32\ntdll.dll C:\WINDOWS\system32\ole32.dll C:\WINDOWS\system32\oleaut32.dll C:\WINDOWS\system32\shell32.dll C:\WINDOWS\system32\user32.dll C:\WINDOWS\system32\wininet.dll C:\WINDOWS\system32\winsock.dll SEH Exception: Description Times Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x3edb2560 1 Process Created: C:\WINDOWS\system32\dwwin.exe -x -s 156 C:\WINDOWS\system32\drwtsn32 -p 456 -e 120 -g Process dwwin.exe: Filename: dwwin.exe Command Line: C:\WINDOWS\system32\dwwin.exe -x -s 156 Load Time DLL: Module Name Base Address Size C:\WINDOWS\system32\ntdll.dll 0x7C900000 0x000B0000 C:\WINDOWS\system32\kernel32.dll 0x7C800000 0x000F5000 C:\WINDOWS\system32\ADVAPI32.DLL 0x77DD0000 0x0009B000 C:\WINDOWS\system32\RPCRT4.dll 0x77E70000 0x00092000 C:\WINDOWS\system32\Secur32.dll 0x77FE0000 0x00011000 C:\WINDOWS\system32\COMCTL32.DLL 0x5D090000 0x0009A000 C:\WINDOWS\system32\GDI32.dll 0x77F10000 0x00047000 C:\WINDOWS\system32\USER32.dll 0x7E410000 0x00090000 C:\WINDOWS\system32\OLEAUT32.DLL 0x77120000 0x0008B000 C:\WINDOWS\system32\msvcrt.dll 0x77C10000 0x00058000 C:\WINDOWS\system32\ole32.dll 0x774E0000 0x0013D000 C:\WINDOWS\system32\SHELL32.DLL 0x7C9C0000 0x00815000 C:\WINDOWS\system32\SHLWAPI.dll 0x77F60000 0x00076000 C:\WINDOWS\system32\URLMON.DLL 0x42CF0000 0x00124000 C:\WINDOWS\system32\iertutil.dll 0x42990000 0x00045000 C:\WINDOWS\system32\VERSION.DLL 0x77C00000 0x00008000 C:\WINDOWS\system32\WININET.DLL 0x42C10000 0x000CF000 C:\WINDOWS\system32\Normaliz.dll 0x00400000 0x00009000 C:\WINDOWS\system32\ShimEng.dll 0x5CB70000 0x00026000 C:\WINDOWS\AppPatch\AcGenral.DLL 0x6F880000 0x001CA000 C:\WINDOWS\system32\WINMM.dll 0x76B40000 0x0002D000 C:\WINDOWS\system32\MSACM32.dll 0x77BE0000 0x00015000 C:\WINDOWS\system32\USERENV.dll 0x769C0000 0x000B3000 C:\WINDOWS\system32\UxTheme.dll 0x5AD70000 0x00038000 C:\WINDOWS\system32\IMM32.DLL 0x76390000 0x0001D000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll 0x773D0000 0x00103000 Run Time DLL: Module Name Base Address Size C:\WINDOWS\system32\1033\dwintl.dll 0x314C0000 0x0000C000 C:\WINDOWS\system32\NETAPI32.dll 0x5B860000 0x00054000 C:\WINDOWS\system32\WS2HELP.dll 0x71AA0000 0x00008000 C:\WINDOWS\system32\ws2_32.dll 0x71AB0000 0x00017000 C:\WINDOWS\system32\sensapi.dll 0x722B0000 0x00005000 C:\WINDOWS\system32\MSCTF.dll 0x74720000 0x0004B000 C:\WINDOWS\system32\riched20.dll 0x74E30000 0x0006C000 C:\WINDOWS\system32\shfolder.dll 0x76780000 0x00009000 C:\WINDOWS\system32\PSAPI.DLL 0x76BF0000 0x0000B000 C:\WINDOWS\system32\rtutils.dll 0x76E80000 0x0000E000 C:\WINDOWS\system32\rasman.dll 0x76E90000 0x00012000 C:\WINDOWS\system32\TAPI32.dll 0x76EB0000 0x0002F000 C:\WINDOWS\system32\RASAPI32.dll 0x76EE0000 0x0003C000 dwwin.exe Registry Activity: Key Name New Value HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable 0 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common AppData C:\Documents and Settings\All Users\Application Data HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders AppData C:\Documents and Settings\user\Application Data HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cache C:\Documents and Settings\user\Local Settings\Temporary Internet Files HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cookies C:\Documents and Settings\user\Cookies HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders History C:\Documents and Settings\user\Local Settings\History HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Personal C:\Documents and Settings\user\My Documents HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings MigrateProxy 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable 0 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ windows\CurrentVersion\Internet Settings\Connections SavedLegacySettings 0x460000005f00000001000000000000000000000000000000040000000000 Registry Value Read: Key Name Value Times HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings UrlEncoding 0x00000000 2 HKLM\Software\Microsoft\Tracing EnableConsoleTracing 0 1 HKLM\Software\Microsoft\Tracing\RASAPI32 ConsoleTracingMask 4294901760 2 HKLM\Software\Microsoft\Tracing\RASAPI32 EnableConsoleTracing 0 2 HKLM\Software\Microsoft\Tracing\RASAPI32 EnableFileTracing 0 2 HKLM\Software\Microsoft\Tracing\RASAPI32 FileDirectory %windir%\tracing 4 HKLM\Software\Microsoft\Tracing\RASAPI32 FileTracingMask 4294901760 2 HKLM\Software\Microsoft\Tracing\RASAPI32 MaxFileSize 1048576 2 HKLM\Software\Microsoft\Windows NT\CurrentVersion DigitalProductId 0xa40000000300000037363438372d3333372d383432393935352d32323631 1 HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug Debugger drwtsn32 -p %ld -e %ld -g 4 HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList AllUsersProfile All Users 3 HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList DefaultUserProfile Default User 3 HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ProfilesDirectory %SystemDrive%\Documents and Settings 6 HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1229272821-1004336348-527237240-1003 ProfileImagePath %SystemDrive%\Documents and Settings\user 3 HKLM\Software\Microsoft\Windows\CurrentVersion CommonFilesDir C:\Program Files\Common Files 4 HKLM\Software\Microsoft\Windows\CurrentVersion ProgramFilesDir C:\Program Files 4 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Common AppData %ALLUSERSPROFILE%\Application Data 1 HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content PerUserItem 1 1 HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies PerUserItem 1 1 HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History PerUserItem 1 1 HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ComputerName USER 5 HKLM\System\CurrentControlSet\Control\Session Manager\Environment ComSpec %SystemRoot%\system32\cmd.exe 6 HKLM\System\CurrentControlSet\Control\Session Manager\Environment FP_NO_HOST_CHECK NO 6 HKLM\System\CurrentControlSet\Control\Session Manager\Environment NUMBER_OF_PROCESSORS 1 6 HKLM\System\CurrentControlSet\Control\Session Manager\Environment OS Windows_NT 6 HKLM\System\CurrentControlSet\Control\Session Manager\Environment PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH 6 HKLM\System\CurrentControlSet\Control\Session Manager\Environment PROCESSOR_ARCHITECTURE x86 6 HKLM\System\CurrentControlSet\Control\Session Manager\Environment PROCESSOR_IDENTIFIER x86 Family 6 Model 3 Stepping 3, GenuineIntel 6 HKLM\System\CurrentControlSet\Control\Session Manager\Environment PROCESSOR_LEVEL 6 6 HKLM\System\CurrentControlSet\Control\Session Manager\Environment PROCESSOR_REVISION 0303 6 HKLM\System\CurrentControlSet\Control\Session Manager\Environment Path %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem 6 HKLM\System\CurrentControlSet\Control\Session Manager\Environment TEMP %SystemRoot%\TEMP 6 HKLM\System\CurrentControlSet\Control\Session Manager\Environment TMP %SystemRoot%\TEMP 6 HKLM\System\CurrentControlSet\Control\Session Manager\Environment _NT_SYMBOL_PATH srv*C:\Symbols*http://msdl.microsoft.com/download/symbols 6 HKLM\System\CurrentControlSet\Control\Session Manager\Environment windir %SystemRoot% 6 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters WinSock_Registry_Version 2.0 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 Num_Catalog_Entries 3 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 Serial_Access_Num 4 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 DisplayString Tcpip 4 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Enabled 1 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 LibraryPath %SystemRoot%\System32\mswsock.dll 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ProviderId 0x409d05229e7ecf11ae5a00aa00a7112b 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 StoresServiceClassInfo 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 SupportedNameSpace 12 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Version 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 DisplayString NTDS 4 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Enabled 1 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 LibraryPath %SystemRoot%\System32\winrnr.dll 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ProviderId 0xee37263b80e5cf11a55500c04fd8d4ac 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 StoresServiceClassInfo 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 SupportedNameSpace 32 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Version 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 DisplayString Network Location Awareness (NLA) Namespace 4 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Enabled 1 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 LibraryPath %SystemRoot%\System32\mswsock.dll 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ProviderId 0x3a244266a83ba64abaa52e0bd71fdd83 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 StoresServiceClassInfo 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 SupportedNameSpace 15 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Version 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 Next_Catalog_Entry_ID 1012 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 Num_Catalog_Entries 11 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 Serial_Access_Num 4 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 PackedCatalogItem %SystemRoot%\system32\rsvpsp.d 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 PackedCatalogItem %SystemRoot%\system32\rsvpsp.d 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\Setup SystemSetupInProgress 0 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Environment TEMP %USERPROFILE%\Local Settings\Temp 6 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Environment TMP %USERPROFILE%\Local Settings\Temp 6 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS EnableHttp1_1 1 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS EnableNegotiate 1 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS MimeExclusionListForCache multipart/mixed multipart/x-mixed-replace multipart/x-byteranges 4 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS SecureProtocols 160 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS WarnOnPost 0x01000000 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS WarnOnZoneCrossing 0 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings CertificateRevocation 0 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings DisableCachingOfSSLPages 0 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Internet Explorer\Settings Anchor Color 0,0,255 4 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ParseAutoexec 1 3 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders AppData %USERPROFILE%\Application Data 3 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Cache %USERPROFILE%\Local Settings\Temporary Internet Files 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Cookies %USERPROFILE%\Cookies 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders History %USERPROFILE%\Local Settings\History 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Personal %USERPROFILE%\My Documents 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache Signature Client UrlCache MMF Ver 5.2 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Content CacheLimit 163410 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Content CachePrefix 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies CacheLimit 8192 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies CachePrefix Cookie: 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022 CacheLimit 8192 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022 CacheOptions 11 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022 CachePath %USERPROFILE%\Local Settings\History\History.IE5\MSHist012007101520071022 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022 CachePrefix :2007101520071022: 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022 CacheRepair 0 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029 CacheLimit 8192 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029 CacheOptions 11 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029 CachePath %USERPROFILE%\Local Settings\History\History.IE5\MSHist012007102220071029 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029 CachePrefix :2007102220071029: 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029 CacheRepair 0 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102 CacheLimit 8192 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102 CacheOptions 11 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102 CachePath %USERPROFILE%\Local Settings\History\History.IE5\MSHist012007110120071102 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102 CachePrefix :2007110120071102: 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102 CacheRepair 0 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData CacheLimit 1000 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData CacheOptions 8 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData CachePath %USERPROFILE%\UserData 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData CachePrefix UserData 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData CacheRepair 0 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat CacheLimit 8192 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat CacheOptions 0 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat CachePath %USERPROFILE%\Local Settings\Application Data\Microsoft\Feeds Cache 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat CachePrefix feedplat: 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat CacheRepair 0 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\History CacheLimit 8192 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\History CachePrefix Visited: 2 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings MigrateProxy 1 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable 0 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ windows\CurrentVersion\Internet Settings\Connections DefaultConnectionSettings 0x3c0000000200000001000000000000000000000000000000040000000000 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ windows\CurrentVersion\Internet Settings\Connections SavedLegacySettings 0x460000005e00000001000000000000000000000000000000040000000000 4 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment APPDATA C:\Documents and Settings\user\Application Data 6 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment CLIENTNAME Console 6 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment HOMEDRIVE C: 6 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment HOMEPATH \Documents and Settings\user 6 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment HOMESHARE 6 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment LOGONSERVER \\USER 6 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment SESSIONNAME Console Registry Monitored: Key Name Watch subtree Notify Filter Count HKLM\Software\Microsoft\Tracing\RASAPI32 0 Attributes Change,Value Change,Security Descriptor Change 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 0 Key Change 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 0 Key Change Fils Deleted: C:\DOCUME~1\user\LOCALS~1\Temp\39471.dmp C:\DOCUME~1\user\LOCALS~1\Temp\5f86_appcompat.txt Files Created: C:\DOCUME~1\user\LOCALS~1\Temp\39471.dmp Files Read: C:\WINDOWS\win.ini C:\sample.exe PIPE\lsarpc c:\autoexec.bat Files Modified: PIPE\lsarpc File System Control: File Control Code Times PIPE\lsarpc 0x0011C017 38 Memory Mapped File: File Name C:\DOCUME~1\user\LOCALS~1\Temp\39471.dmp C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll C:\WINDOWS\system32\ADVAPI32.dll C:\WINDOWS\system32\Apphelp.dll C:\WINDOWS\system32\IMM32.DLL C:\WINDOWS\system32\NETAPI32.dll C:\WINDOWS\system32\RPCRT4.dll C:\WINDOWS\system32\SETUPAPI.dll C:\WINDOWS\system32\SHLWAPI.dll C:\WINDOWS\system32\Secur32.dll C:\WINDOWS\system32\USER32.dll C:\WINDOWS\system32\USERENV.dll C:\WINDOWS\system32\VERSION.dll C:\WINDOWS\system32\WINSTA.dll C:\WINDOWS\system32\WTSAPI32.dll C:\WINDOWS\system32\comctl32.dll C:\WINDOWS\system32\faultrep.dll C:\WINDOWS\system32\gdi32.dll C:\WINDOWS\system32\kernel32.dll C:\WINDOWS\system32\msvcrt.dll C:\WINDOWS\system32\ntdll.dll C:\sample.exe C:\Documents and Settings\user\Cookies\index.dat C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Service Started: RASMAN