Download Source: hxxp://204.2.183.2/phuong-hong/task.rar Downloaded the file and tried to extract content with WinRar. This gave an error, then checking the file header, it was noticed that its actually an EXE file renamed to Rar. Changed the name to task.exe before analyzing. File Name: task.exe MD5: a6eb7d919e34ae8a4ee235bb124646ed SHA1: 778fed51b7549ea1725a8bc3626a523442e8ac5a SHA256: 9227a92c3762c1219039089e9ff2ee6ec3b716df06a3e6ccce745770c59f7106 SHA512: 242ad3a95b7e6c835bf02393840bb4bd206af0c8fa17fd254a300565366755c5 fd56696d89335518bbb36abb6431ea42263f5e9145475c37a0c99e949de705ff VirusTotal Result: 25/32 (78.13%) AntiVir: TR/Dldr.Agent.Hox.1 Avast: Win32:Agent-TFA AVG: Downloader.Agent.AAWD BitDefender: Trojan.Downloader.VB.AXY CAT-QuickHeal: TrojanDownloader.Agent.hox ClamAV: Trojan.Downloader-23718 DrWeb: Win32.HLLW.Autoruner.1083 eSafe: Win32.Agent.hox Ewido: Downloader.Agent.hox F-Prot: W32/Downldr2.AXTE F-Secure: Trojan-Downloader.Win32.Agent.hox Ikarus: Trojan.Win32.Crypt.D Kaspersky: Trojan-Downloader.Win32.Agent.hox McAfee: W32/Autorun.worm.bm NOD32v2: probably a variant of Win32/Genetik Norman: W32/Agent.EGUO Panda: Suspicious file Prevx1: Heuristic: Suspicious Self Modifying EXE Sophos: Mal/Generic-A Sunbelt: Trojan-Downloader.Vb.AXY Symantec: W32.SillyDC TheHacker: Trojan/Downloader.Agent.hox VBA32: Trojan-Downloader.Win32.Agent.hox VirusBuster: Trojan.DL.Agent.CXOV Webwasher-Gateway: Trojan.Dldr.Agent.Hox.1 Analysis Report: http://malwareinfo.freeforums.org/204-2-183-2-phuong-hong-task-rar-t10.html File Info: PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0002 Time/Date stamp: 47A5B834 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 010F Magic: 010B Linker version (major): 06 Linker version (minor): 00 Size of code: 00014000 Size of initialized data: 00026000 Size of uninitialized data: 00000000 Address of entry point: 00001164 Base of code: 00001000 Base of data: 00015000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0001 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00046000 Size of headers: 00000200 Checksum: 00044A96 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags .text 0003A000 00001000 00010E00 00000200 E0000060 .rsrc 0000B000 0003B000 0000A600 00011000 E0000020 Import table (libraries: 1) kernel32.dll (imports: 4) LoadLibraryA GetProcAddress VirtualAlloc VirtualFree File System Activities: Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS) Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\WINDOWS\explorer.exe () Find File: explorer.exe Find File: C:\WINDOWS\userinit.exe Open File: C:\file.exe (OPEN_EXISTING) Create File: C:\WINDOWS\userinit.exe Open File: C:\file.exe (OPEN_EXISTING) Open File: C:\WINDOWS\userinit.exe (OPEN_EXISTING) Set File Time: C:\WINDOWS\userinit.exe Set File Attributes: C:\WINDOWS\userinit.exe Flags: (FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_SYSTEM,SECURITY_ANONYMOUS) Open File: C:\WINDOWS\userinit.exe () Find File: userinit.exe Get File Attributes: C:\WINDOWS\system32\.HLP Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\WINDOWS\Help\.HLP Flags: (SECURITY_ANONYMOUS) INI File Read: WINHELP.INI [FILES] .HLP = Registry Read: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" HKEY_CURRENT_USER\Software\Microsoft\Visual Basic\6.0 "AllowUnsafeObjectPassing" Process Activities: Creates Process - Filename () CommandLine: (C:\WINDOWS\explorer.exe C:\) As User: () Creation Flags: () Creates Process - Filename () CommandLine: (C:\WINDOWS\userinit.exe) As User: () Creation Flags: () Kill Process - Filename () CommandLine: () Target PID: (1776) As User: () Creation Flags: () Enum Processes Enum Modules - Target PID: (4) Enum Modules - Target PID: (568) Enum Modules - Target PID: (616) Enum Modules - Target PID: (640) Enum Modules - Target PID: (684) Enum Modules - Target PID: (700) Enum Modules - Target PID: (708) Enum Modules - Target PID: (900) Enum Modules - Target PID: (968) Enum Modules - Target PID: (1060) Enum Modules - Target PID: (1108) Enum Modules - Target PID: (1164) Enum Modules - Target PID: (1456) Enum Modules - Target PID: (1536) Enum Modules - Target PID: (1600) Enum Modules - Target PID: (1720) Enum Modules - Target PID: (1892) Enum Modules - Target PID: (312) Enum Modules - Target PID: (344) Enum Modules - Target PID: (404) Enum Modules - Target PID: (1316) Enum Modules - Target PID: (472) Enum Modules - Target PID: (1776) Open Process - Filename () Target PID: (4) Open Process - Filename (\SystemRoot\System32\smss.exe) Target PID: (568) Open Process - Filename (C:\WINDOWS\system32\csrss.exe) Target PID: (616) Open Process - Filename (C:\WINDOWS\system32\winlogon.exe) Target PID: (640) Open Process - Filename (C:\WINDOWS\system32\services.exe) Target PID: (684) Open Process - Filename (C:\WINDOWS\system32\savedump.exe) Target PID: (700) Open Process - Filename (C:\WINDOWS\system32\lsass.exe) Target PID: (708) Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (900) Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (968) Open Process - Filename (C:\WINDOWS\System32\svchost.exe) Target PID: (1060) Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (1108) Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (1164) Open Process - Filename (C:\WINDOWS\system32\userinit.exe) Target PID: (1456) Open Process - Filename (C:\WINDOWS\system32\spoolsv.exe) Target PID: (1536) Open Process - Filename (C:\WINDOWS\Explorer.EXE) Target PID: (1600) Open Process - Filename (C:\Documents and Settings\Sandbox\Start Menu\Programs\Startup\SandboxReboot.exe) Target PID: (1720) Open Process - Filename (C:\WINDOWS\System32\alg.exe) Target PID: (1892) Open Process - Filename (C:\WINDOWS\system32\wscntfy.exe) Target PID: (312) Open Process - Filename (B:\SandboxReboot.exe) Target PID: (344) Open Process - Filename (B:\SandboxReboot-5min.exe) Target PID: (404) Open Process - Filename (B:\ClickInstall.exe) Target PID: (1316) Open Process - Filename (C:\WINDOWS\system32\cmd.exe) Target PID: (472) System Info: Get System Directory Get Windows Directory Enum Windows: Destroy Window - Class Name (ThunderRT6Timer) Window Name () Destroy Window - Class Name (ThunderRT6CheckBox) Window Name () Destroy Window - Class Name (ThunderRT6UserControlDC) Window Name () Destroy Window - Class Name (ThunderRT6FormDC) Window Name (Worm) Destroy Window - Class Name (ThunderRT6Main) Window Name (thanhminh) Destroy Window - Class Name () Window Name () Destroy Window - Class Name (VBMsoStdCompMgr) Window Name () Process Activity: Process: C:\WINDOWS\explorer.exe C:\ File System Activities: Open File: \\.\WMIDataDevice (OPEN_EXISTING) Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS) Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Process Management: Kill Process - Filename () CommandLine: () Target PID: (1780) As User: () Creation Flags: () Open Process - Filename (C:\WINDOWS\Explorer.EXE) Target PID: (1600) Open Process - Filename (C:\WINDOWS\Explorer.EXE) Target PID: (1600) System Info: Get System Directory Process: C:\WINDOWS\userinit.exe COM Activities: COM Get Class Object: , Interface ID: ({00000001-0000-0000-C000-000000000046}) COM Get Class Object: C:\WINDOWS\system32\MSWINSCK.OCX, Interface ID: ({00000001-0000-0000-C000-000000000046}) File System Activities: Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS) Find File: C:\WINDOWS\system32\system.exe Find File: C:\WINDOWS\system32\MSWINSCK.OCX Create/Open File: C:\WINDOWS\system32\MSWINSCK.OCX (OPEN_ALWAYS) Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\WINDOWS\system32\Regsvr32.exe () Find File: Regsvr32.exe Find File: C:\*.* Open File: \\.\PIPE\wkssvc (OPEN_EXISTING) Create/Open File: \Dfs (OPEN_ALWAYS) Find File: C:\WINDOWS\kdcoms.dll Create File: C:\WINDOWS\kdcoms.dll Open File: C:\WINDOWS\userinit.exe (OPEN_EXISTING) Create File: C:\WINDOWS\system32\system.exe Open File: C:\WINDOWS\userinit.exe (OPEN_EXISTING) Open File: C:\WINDOWS\system32\system.exe (OPEN_EXISTING) Set File Time: C:\WINDOWS\system32\system.exe Set File Attributes: C:\WINDOWS\system32\system.exe Flags: (FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_SYSTEM,SECURITY_ANONYMOUS) Open File: C:\WINDOWS\system32\system.exe () Find File: system.exe Open File: C:\WINDOWS\system32\MSWINSCK.OCX (OPEN_EXISTING) Create/Open File: C:\WINDOWS\kdcoms.dll (OPEN_ALWAYS) Find File: C:\WINDOWS\system32\task.exe Create/Open File: \Device\RasAcd (OPEN_ALWAYS) Registry Change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit" = C:\WINDOWS\userinit.exe Registry Read: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider "Name" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\NetworkProvider "Name" HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0 "win32" HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "DefaultAuthLevel" Process Management: Creates Process - Filename () CommandLine: (Regsvr32 C:\WINDOWS\system32\MSWINSCK.OCX /s) As User: () Creation Flags: () Creates Process - Filename () CommandLine: (C:\WINDOWS\system32\system.exe) As User: () Creation Flags: () Enum Processes Enum Modules - Target PID: (4) Enum Modules - Target PID: (568) Enum Modules - Target PID: (616) Enum Modules - Target PID: (640) Enum Modules - Target PID: (684) Enum Modules - Target PID: (700) Enum Modules - Target PID: (708) Enum Modules - Target PID: (900) Enum Modules - Target PID: (968) Enum Modules - Target PID: (1060) Enum Modules - Target PID: (1108) Enum Modules - Target PID: (1164) Enum Modules - Target PID: (1456) Enum Modules - Target PID: (1536) Enum Modules - Target PID: (1600) Enum Modules - Target PID: (1720) Enum Modules - Target PID: (1892) Enum Modules - Target PID: (312) Enum Modules - Target PID: (344) Enum Modules - Target PID: (404) Enum Modules - Target PID: (1316) Enum Modules - Target PID: (472) Enum Modules - Target PID: (1776) Enum Modules - Target PID: (1816) Enum Modules - Target PID: (1904) Enum Modules - Target PID: (2000) Open Process - Filename () Target PID: (4) Open Process - Filename (\SystemRoot\System32\smss.exe) Target PID: (568) Open Process - Filename (C:\WINDOWS\system32\csrss.exe) Target PID: (616) Open Process - Filename (C:\WINDOWS\system32\winlogon.exe) Target PID: (640) Open Process - Filename (C:\WINDOWS\system32\services.exe) Target PID: (684) Open Process - Filename (C:\WINDOWS\system32\savedump.exe) Target PID: (700) Open Process - Filename (C:\WINDOWS\system32\lsass.exe) Target PID: (708) Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (900) Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (968) Open Process - Filename (C:\WINDOWS\System32\svchost.exe) Target PID: (1060) Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (1108) Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (1164) Open Process - Filename (C:\WINDOWS\system32\userinit.exe) Target PID: (1456) Open Process - Filename (C:\WINDOWS\system32\spoolsv.exe) Target PID: (1536) Open Process - Filename (C:\WINDOWS\Explorer.EXE) Target PID: (1600) Open Process - Filename (C:\Documents and Settings\Sandbox\Start Menu\Programs\Startup\SandboxReboot.exe) Target PID: (1720) Open Process - Filename (C:\WINDOWS\System32\alg.exe) Target PID: (1892) Open Process - Filename (C:\WINDOWS\system32\wscntfy.exe) Target PID: (312) Open Process - Filename (B:\SandboxReboot.exe) Target PID: (344) Open Process - Filename (B:\SandboxReboot-5min.exe) Target PID: (404) Open Process - Filename (B:\ClickInstall.exe) Target PID: (1316) Open Process - Filename (C:\WINDOWS\system32\cmd.exe) Target PID: (472) Open Process - Filename (C:\file.exe) Target PID: (1776) Open Process - Filename (C:\WINDOWS\system32\system.exe) Target PID: (1904) Open Process - Filename (C:\WINDOWS\system32\wuauclt.exe) Target PID: (2000) System Info: Get System Directory Get Windows Directory Network Activities: DNS Lookup- Host Name IP Address scss.ath.cx 222.254.102.118 scss.ath.cx 222.254.102.118 scss.ath.cx 222.254.102.118 scss.ath.cx 222.254.102.118 Outgoing connection to remote server: scss.ath.cx TCP port 8800 Process: Regsvr32 C:\WINDOWS\system32\MSWINSCK.OCX /s COM Activities: COM Create Instance: OLE32.DLL, ProgID: (), Interface ID: ({0002E012-0000-0000-C000-000000000046}) File System Activities: Open File: C:\WINDOWS\system32\MSWINSCK.OCX (OPEN_EXISTING) Get File Attributes: C:\WINDOWS\HELP\MSWNSK98.chm Flags: (SECURITY_ANONYMOUS) Registry Changes: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} "" = Microsoft WinSock Control, version 6.0 HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 "" = C:\WINDOWS\system32\MSWINSCK.OCX HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 "ThreadingModel" = Apartment HKEY_CLASSES_ROOT\MSWinsock.Winsock "" = Microsoft WinSock Control, version 6.0 HKEY_CLASSES_ROOT\MSWinsock.Winsock\CLSID "" = {248DD896-BB45-11CF-9ABC-0080C7E7B78D} HKEY_CLASSES_ROOT\MSWinsock.Winsock\CurVer "" = MSWinsock.Winsock.1 HKEY_CLASSES_ROOT\MSWinsock.Winsock.1 "" = Microsoft WinSock Control, version 6.0 HKEY_CLASSES_ROOT\MSWinsock.Winsock.1\CLSID "" = {248DD896-BB45-11CF-9ABC-0080C7E7B78D} HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID "" = MSWinsock.Winsock HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID "" = MSWinsock.Winsock.1 HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib "" = {248DD890-BB45-11CF-9ABC-0080C7E7B78D} HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version "" = 1.0 HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus "" = 0 HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1 "" = 132497 HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32 "" = C:\WINDOWS\system32\MSWINSCK.OCX, 1 HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D} "" = Winsock General Property Page Object HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 "" = C:\WINDOWS\system32\MSWINSCK.OCX HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0 "" = Microsoft Winsock Control 6.0 HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS "" = 2 HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32 "" = C:\WINDOWS\system32\MSWINSCK.OCX HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR "" = HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} "" = IMSWinsockControl HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid "" = {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 "" = {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib "" = {248DD890-BB45-11CF-9ABC-0080C7E7B78D} HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib "Version" = 1.0 HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} "" = DMSWinsockControlEvents HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid "" = {00020420-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 "" = {00020420-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib "" = {248DD890-BB45-11CF-9ABC-0080C7E7B78D} HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib "Version" = 1.0 Registry Reads: HKEY_CLASSES_ROOT\.OCX "" HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0 "" HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS "" HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32 "" HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR "" HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} "" HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid "" HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 "" HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib "" HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib "Version" HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} "" HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid "" HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 "" HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib "" HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib "Version" Registry Enums: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D} Process Management: Kill Process - Filename () CommandLine: () Target PID: (1836) As User: () Creation Flags: () System Info: Get Windows Directory Window Destroy: Window - Class Name (NMNotifyWindowClass) Window Name (Notification Window) Process: C:\WINDOWS\system32\system.exe COM Activities: COM Create Instance: C:\WINDOWS\system32\scrrun.dll, ProgID: (Scripting.FileSystemObject), Interface ID: ({00000000-0000-0000-C000-000000000046}) COM Get Class Object: , Interface ID: ({00000001-0000-0000-C000-000000000046}) File System Activities: Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS) Find File: C:\WINDOWS\kdcoms32.dll Open File: C:\WINDOWS\system32\scrrun.dll (OPEN_EXISTING) Registry Reads: HKEY_CLASSES_ROOT\TypeLib\{420B2830-E718-11CF-893D-00A0C9054228}\1.0\0 "win32" Process Management: Enum Processes Enum Modules - Target PID: (4) Enum Modules - Target PID: (568) Enum Modules - Target PID: (616) Enum Modules - Target PID: (640) Enum Modules - Target PID: (684) Enum Modules - Target PID: (700) Enum Modules - Target PID: (708) Enum Modules - Target PID: (900) Enum Modules - Target PID: (968) Enum Modules - Target PID: (1060) Enum Modules - Target PID: (1108) Enum Modules - Target PID: (1164) Enum Modules - Target PID: (1456) Enum Modules - Target PID: (1536) Enum Modules - Target PID: (1600) Enum Modules - Target PID: (1720) Enum Modules - Target PID: (1892) Enum Modules - Target PID: (312) Enum Modules - Target PID: (344) Enum Modules - Target PID: (404) Enum Modules - Target PID: (1316) Enum Modules - Target PID: (472) Enum Modules - Target PID: (1816) Enum Modules - Target PID: (1904) Enum Modules - Target PID: (2000) Open Process - Filename () Target PID: (4) Open Process - Filename (\SystemRoot\System32\smss.exe) Target PID: (568) Open Process - Filename (C:\WINDOWS\system32\csrss.exe) Target PID: (616) Open Process - Filename (C:\WINDOWS\system32\winlogon.exe) Target PID: (640) Open Process - Filename (C:\WINDOWS\system32\services.exe) Target PID: (684) Open Process - Filename (C:\WINDOWS\system32\savedump.exe) Target PID: (700) Open Process - Filename (C:\WINDOWS\system32\lsass.exe) Target PID: (708) Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (900) Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (968) Open Process - Filename (C:\WINDOWS\System32\svchost.exe) Target PID: (1060) Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (1108) Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (1164) Open Process - Filename (C:\WINDOWS\system32\userinit.exe) Target PID: (1456) Open Process - Filename (C:\WINDOWS\system32\spoolsv.exe) Target PID: (1536) Open Process - Filename (C:\WINDOWS\Explorer.EXE) Target PID: (1600) Open Process - Filename (C:\Documents and Settings\Sandbox\Start Menu\Programs\Startup\SandboxReboot.exe) Target PID: (1720) Open Process - Filename (C:\WINDOWS\System32\alg.exe) Target PID: (1892) Open Process - Filename (C:\WINDOWS\system32\wscntfy.exe) Target PID: (312) Open Process - Filename (B:\SandboxReboot.exe) Target PID: (344) Open Process - Filename (B:\SandboxReboot-5min.exe) Target PID: (404) Open Process - Filename (B:\ClickInstall.exe) Target PID: (1316) Open Process - Filename (C:\WINDOWS\system32\cmd.exe) Target PID: (472) Open Process - Filename (C:\WINDOWS\userinit.exe) Target PID: (1816) Open Process - Filename (C:\WINDOWS\system32\wuauclt.exe) Target PID: (2000) System Info: Get System Directory Get Windows Directory Get System Time