Analysis Report

Summary
Autostart capabilities: This executable registers processes to be executed at system start. This could result in unwanted actions to be performed automatically.
Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web.
Downloads Executable Code: The executable issues HTTP Requests and downloads potential malicious executable code.

General information

nnpnvxjy.exe

C:\nnpnvxjy.exe
Primary Analysis Subject
General information
a) Registry Activities
b) File Activities
c) Windows Service Activities
d) Process Activities
e) Network Activities
f) Other Activities

services.exe

d.exe

c:\d.exe
Started by nnpnvxjy.exe
General information
a) Registry Activities
b) File Activities
c) Process Activities

tmp.tmp

C:\DOCUME~1\user\LOCALS~1\Temp\tmp.tmp
Started by d.exe
General information
a) Registry Activities
b) File Activities
c) Process Activities
d) Other Activities

dwwin.exe

C:\WINDOWS\system32\dwwin.exe
Started by tmp.tmp
General information
a) Registry Activities
b) File Activities
c) Process Activities

drwtsn32.exe

C:\WINDOWS\system32\drwtsn32.exe
Started by tmp.tmp
General information
a) Registry Activities
b) File Activities
c) Process Activities

regsvr32.exe

C:\WINDOWS\system32\regsvr32.exe
Started by d.exe
General information
a) Registry Activities
b) File Activities
c) Process Activities

cmd.exe

cmd.exe

C:\WINDOWS\system32\cmd.exe
Started by nnpnvxjy.exe
General information
a) Registry Activities
b) File Activities

1. General Information

File Name: nnpnvxjy.exe
File size: 6656 bytes
MD5: ac676df70820d150601574163a3d1d71
SHA1: 38232d6fbeac702b7464a6250e96ead90a3fe501
PEiD: -

VirusTotal Result: 8/32 (25.00%)
CAT-QuickHeal 9.50 2008.03.24 (Suspicious) - DNAScan
eSafe 7.0.15.0 2008.03.18 Suspicious File
Kaspersky 7.0.0.125 2008.03.25 Heur.Downloader
Microsoft 1.3301 2008.03.25 TrojanDownloader:Win32/Harnig.gen!L
NOD32v2 2971 2008.03.25 probably unknown NewHeur_PE virus
Panda 9.0.0.4 2008.03.25 Suspicious file
VBA32 3.12.6.3 2008.03.25 Trojan-Downloader.Win32.Small.suq
Webwasher-Gateway 6.6.2 2008.03.25 Virus.Win32.FileInfector.gen (suspicious)

- Network Activity

From SandBox:1037 to 85.255.120.203:80 - [flyvideonetwork.com]
Request: HEAD /tor/search.dll
Response: 200 "OK"
Request: GET /tor/search.dll
Response: 200 "OK"

	- Unknown UDP Traffic:

from SandBox:1025 to 192.168.0.1:53

State: Normal establishment and termination - Transferred outbound Bytes: 64 - Transferred inbound Bytes: 232

from SandBox:1025 to 192.168.0.1:53

State: Normal establishment and termination - Transferred outbound Bytes: 37 - Transferred inbound Bytes: 99

	- TCP Connection Attempts:

from SandBox:1036 to 67.43.232.38:8080

from SandBox:1038 to 85.255.120.203:80

2. nnpnvxjy.exe

	- General information about this executable

Analysis Reason:	Primary Analysis Subject
Filename:	nnpnvxjy.exe
MD5:	ac676df70820d150601574163a3d1d71
SHA-1:	38232d6fbeac702b7464a6250e96ead90a3fe501
File Size:	6656 Bytes
Command Line:	C:\nnpnvxjy.exe
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000B0000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F5000
C:\WINDOWS\system32\user32.dll	0x7E410000	0x00090000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00047000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\Normaliz.dll	0x00870000	0x00009000
C:\WINDOWS\system32\iertutil.dll	0x42990000	0x00045000
C:\WINDOWS\system32\wininet.dll	0x42C10000	0x000CF000
C:\WINDOWS\system32\urlmon.dll	0x42CF0000	0x00124000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00054000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\hnetcfg.dll	0x662B0000	0x00058000
C:\WINDOWS\System32\mswsock.dll	0x71A50000	0x0003F000
C:\WINDOWS\System32\wshtcpip.dll	0x71A90000	0x00008000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\ws2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\sensapi.dll	0x722B0000	0x00005000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004B000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B3000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\rtutils.dll	0x76E80000	0x0000E000
C:\WINDOWS\system32\rasman.dll	0x76E90000	0x00012000
C:\WINDOWS\system32\TAPI32.dll	0x76EB0000	0x0002F000
C:\WINDOWS\system32\RASAPI32.dll	0x76EE0000	0x0003C000
C:\WINDOWS\system32\DNSAPI.dll	0x76F20000	0x00027000
C:\WINDOWS\system32\rasadhlp.dll	0x76FC0000	0x00006000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00815000

2.a) nnpnvxjy.exe - Registry Activities

	- Registry Values Modified:

Key	Name	New Value
HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings	ProxyEnable	0
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Common AppData	C:\Documents and Settings\All Users\Application Data
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Common Desktop	C:\Documents and Settings\All Users\Desktop
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Common Documents	C:\Documents and Settings\All Users\Documents
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d14d83ce-7d74-11dc-97e2-806d6172696f}\	BaseClass	Drive
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d14d83cf-7d74-11dc-97e2-806d6172696f}\	BaseClass	Drive
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	AppData	C:\Documents and Settings\user\Application Data
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\user\Local Settings\Temporary Internet Files
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cookies	C:\Documents and Settings\user\Cookies
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Desktop	C:\Documents and Settings\user\Desktop
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	History	C:\Documents and Settings\user\Local Settings\History
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Personal	C:\Documents and Settings\user\My Documents
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AutoDetect	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IntranetName	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ProxyBypass	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	UNCAsIntranet	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings	MigrateProxy	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings	ProxyEnable	0
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	SavedLegacySettings	0x460000005f00000001000000000000000000000000000000040000000000

	- Registry Values Read:

Key	Name	Value
HKLM\SOFTWARE\CLASSES\.ADE		Access.ADEFile.11
HKLM\SOFTWARE\CLASSES\.ADP		Access.Project.11
HKLM\SOFTWARE\CLASSES\.ASP		aspfile
HKLM\SOFTWARE\CLASSES\.BAT		batfile
HKLM\SOFTWARE\CLASSES\.CER		CERFile
HKLM\SOFTWARE\CLASSES\.CHM		chm.file
HKLM\SOFTWARE\CLASSES\.CMD		cmdfile
HKLM\SOFTWARE\CLASSES\.COM		comfile
HKLM\SOFTWARE\CLASSES\.CPL		cplfile
HKLM\SOFTWARE\CLASSES\.CRT		CERFile
HKLM\SOFTWARE\CLASSES\.EXE		exefile
HKLM\SOFTWARE\CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\INPROCSERVER32		%SystemRoot%\system32\SHELL32.dll
HKLM\SOFTWARE\CLASSES\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\INPROCSERVER32		C:\WINDOWS\system32\urlmon.dll
HKLM\SOFTWARE\CLASSES\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\INPROCSERVER32	ThreadingModel	Both
HKLM\SOFTWARE\CLASSES\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\INPROCSERVER32		shell32.dll
HKLM\SOFTWARE\CLASSES\DIRECTORY	AlwaysShowExt
HKLM\SOFTWARE\CLASSES\DRIVE\SHELLEX\FOLDEREXTENSIONS\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}	DriveMask	32
HKLM\SOFTWARE\CLASSES\EXEFILE\SHELL\OPEN\COMMAND		"%1" %*
HKLM\SOFTWARE\CLASSES\MIME\DATABASE\CONTENT TYPE\TEXT/HTML	Extension	.htm
HKLM\SOFTWARE\CLASSES\MIME\DATABASE\CONTENT TYPE\TEXT/PLAIN	Extension	.txt
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EnablePunycode	1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	UrlEncoding	0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	.NET CLR 1.1.4322
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	.NET CLR 2.0.50727
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	.NET CLR 3.0.04506.30
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	InfoPath.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\UA Tokens
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\UA Tokens	MSN 2.0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\UA Tokens	MSN 2.5
HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters	Transports	0x5400630070006900700000004e0065007400420049004f00530000000000
HKLM\Software\Microsoft\COM3	Com+Enabled	1
HKLM\Software\Microsoft\COM3	REGDBVersion	0x0f00000000000000
HKLM\Software\Microsoft\Tracing	EnableConsoleTracing	0
HKLM\Software\Microsoft\Tracing\RASAPI32	ConsoleTracingMask	4294901760
HKLM\Software\Microsoft\Tracing\RASAPI32	EnableConsoleTracing	0
HKLM\Software\Microsoft\Tracing\RASAPI32	EnableFileTracing	0
HKLM\Software\Microsoft\Tracing\RASAPI32	FileDirectory	%windir%\tracing
HKLM\Software\Microsoft\Tracing\RASAPI32	FileTracingMask	4294901760
HKLM\Software\Microsoft\Tracing\RASAPI32	MaxFileSize	1048576
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	AllUsersProfile	All Users
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	DefaultUserProfile	Default User
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	ProfilesDirectory	%SystemDrive%\Documents and Settings
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1229272821-1004336348-527237240-1003	ProfileImagePath	%SystemDrive%\Documents and Settings\user
HKLM\Software\Microsoft\Windows\CurrentVersion	CommonFilesDir	C:\Program Files\Common Files
HKLM\Software\Microsoft\Windows\CurrentVersion	ProgramFilesDir	C:\Program Files
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks	{AEB6717E-7E19-11d0-97EE-00C04FD91972}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Common AppData	%ALLUSERSPROFILE%\Application Data
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Common Desktop	%ALLUSERSPROFILE%\Desktop
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Common Documents	%ALLUSERSPROFILE%\Documents
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	PerUserItem	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	PerUserItem	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	PerUserItem	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\msn.com
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\msn.com\related	http	4
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	USER
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	ComSpec	%SystemRoot%\system32\cmd.exe
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	FP_NO_HOST_CHECK	NO
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	NUMBER_OF_PROCESSORS	1
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	OS	Windows_NT
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_ARCHITECTURE	x86
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_IDENTIFIER	x86 Family 6 Model 3 Stepping 3, GenuineIntel
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_LEVEL	6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_REVISION	0303
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	Path	%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	TEMP	%SystemRoot%\TEMP
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	TMP	%SystemRoot%\TEMP
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	_NT_SYMBOL_PATH	srvC:\Symbolshttp://msdl.microsoft.com/download/symbols
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	windir	%SystemRoot%
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Domain
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Hostname	user
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	HelperDllName	%SystemRoot%\System32\wshtcpip.dll
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	Mapping	0x0b0000000300000002000000010000000600000002000000010000000000
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MaxSockaddrLength	16
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MinSockaddrLength	16
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	UseDelayedAcceptance	0
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1012
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	11
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.
HKLM\System\Setup	SystemSetupInProgress	0
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Environment	TEMP	%USERPROFILE%\Local Settings\Temp
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Environment	TMP	%USERPROFILE%\Local Settings\Temp
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	CertificateRevocation	0
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	DisableCachingOfSSLPages	0
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EnableHttp1_1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EnableNegotiate	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	MimeExclusionListForCache	multipart/mixed multipart/x-mixed-replace multipart/x-byteranges
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SecureProtocols	160
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Win32)
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WarnOnPost	0x01000000
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WarnOnZoneCrossing	0
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon	ParseAutoexec	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\	ShellState	0x2400000033880000000000000000000000000000010000000d0000000000
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	DontPrettyPath	0
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Filter	0
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Hidden	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	HideFileExt	0
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	HideIcons	0
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	MapNetDrvBtn	0
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	NoNetCrawling	0
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	SeparateProcess	0
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowCompColor	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowInfoTip	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowSuperHidden	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	WebView	0
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d14d83ce-7d74-11dc-97e2-806d6172696f}\	Data	0x000000005c005c003f005c0049004400450023004300640052006f006d00
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d14d83ce-7d74-11dc-97e2-806d6172696f}\	Generation	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d14d83cf-7d74-11dc-97e2-806d6172696f}\	Data	0x000000005c005c003f005c00530054004f00520041004700450023005600
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d14d83cf-7d74-11dc-97e2-806d6172696f}\	Generation	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	AppData	%USERPROFILE%\Application Data
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Cache	%USERPROFILE%\Local Settings\Temporary Internet Files
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Cookies	%USERPROFILE%\Cookies
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Desktop	%USERPROFILE%\Desktop
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	History	%USERPROFILE%\Local Settings\History
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Personal	%USERPROFILE%\My Documents
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache	Signature	Client UrlCache MMF Ver 5.2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	CacheLimit	163410
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	CachePrefix
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	CacheLimit	8192
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	CachePrefix	Cookie:
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022	CacheLimit	8192
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022	CacheOptions	11
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022	CachePath	%USERPROFILE%\Local Settings\History\History.IE5\MSHist012007101520071022
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022	CachePrefix	:2007101520071022:
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022	CacheRepair	0
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029	CacheLimit	8192
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029	CacheOptions	11
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029	CachePath	%USERPROFILE%\Local Settings\History\History.IE5\MSHist012007102220071029
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029	CachePrefix	:2007102220071029:
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029	CacheRepair	0
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102	CacheLimit	8192
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102	CacheOptions	11
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102	CachePath	%USERPROFILE%\Local Settings\History\History.IE5\MSHist012007110120071102
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102	CachePrefix	:2007110120071102:
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102	CacheRepair	0
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CacheLimit	1000
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CacheOptions	8
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CachePath	%USERPROFILE%\UserData
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CachePrefix	UserData
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CacheRepair	0
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CacheLimit	8192
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CacheOptions	0
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CachePath	%USERPROFILE%\Local Settings\Application Data\Microsoft\Feeds Cache
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CachePrefix	feedplat:
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CacheRepair	0
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	CacheLimit	8192
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	CachePrefix	Visited:
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AutoDetect	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	@ivt	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	file	3
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	ftp	3
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	http	3
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	https	3
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	shell	0
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	1806	0
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	Flags	33
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	Flags	475
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	Flags	71
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	1A10	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	Flags	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	Flags	3
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\ShellNoRoam		USER
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache	LangID	0x0904
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\	C:\WINDOWS\system32\cmd.exe	Windows Command Processor
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings	MigrateProxy	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings	ProxyEnable	0
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	DefaultConnectionSettings	0x3c0000000200000001000000000000000000000000000000040000000000
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	SavedLegacySettings	0x460000005e00000001000000000000000000000000000000040000000000
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	APPDATA	C:\Documents and Settings\user\Application Data
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	CLIENTNAME	Console
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	HOMEDRIVE	C:
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	HOMEPATH	\Documents and Settings\user
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	HOMESHARE
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	LOGONSERVER	\\USER
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	SESSIONNAME	Console

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\Software\Classes	1	Key Change,Value Change	3
HKLM\Software\Classes\CLSID	1	Key Change,Value Change	2
HKLM\Software\Microsoft\COM3	1	Key Change,Value Change	6
HKLM\Software\Microsoft\Tracing\RASAPI32	0	Attributes Change,Value Change,Security Descriptor Change	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1
HKU	1	Key Change,Value Change	3

2.b) nnpnvxjy.exe - File Activities

	- Files Created:

C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\BNPHK11H\uniq[1].htm

C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\C4H05OWL\ddos[1].txt

c:\1824245000

c:\d.exe

	- Files Read:

C:\Documents and Settings\All Users\Documents\desktop.ini

C:\Documents and Settings\user\My Documents\desktop.ini

C:\WINDOWS\Registration\R00000000000f.clb

PIPE\lsarpc

PIPE\wkssvc

c:\autoexec.bat

	- Files Modified:

MountPointManager

PIPE\lsarpc

PIPE\wkssvc

\Device\Afd\AsyncConnectHlp

\Device\RasAcd

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	66
PIPE\wkssvc	0x0011C017	1

	- Device Control Communication:

File	Control Code	Times
WMIDataDevice	0x00228144	2
\Device\Afd\Endpoint	AFD_GET_SOCK_NAME (0x0001202F)	2
\Device\Afd\Endpoint	AFD_SET_INFO (0x0001203B)	4
\Device\Afd\AsyncConnectHlp	AFD_CONNECT (0x00012007)	2
\Device\Afd\Endpoint	AFD_SELECT (0x00012024)	2
\Device\Afd\Endpoint	AFD_GET_TDI_HANDLES (0x00012037)	2
unnamed file	0x00120028	4
\Device\Afd\Endpoint	AFD_SET_CONTEXT (0x00012047)	12
\Device\Afd\Endpoint	AFD_SEND (0x0001201F)	2
\Device\Afd\Endpoint	AFD_RECV (0x00012017)	33
IDE#CdRomQEMU_QEMU_CD-ROM________________________0.9.____#4d51303030302033202020202020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	0x004D0008	1
MountPointManager	0x006D0008	2
STORAGE#Volume#1&30a96598&0&Signature95619561Offset7E00Length13F291800#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	0x004D0008	1
MountPointManager	0x006D0034	4

	- Memory Mapped Files:

File Name

C:\WINDOWS\system32\rpcss.dll

C:\Documents and Settings\user\Cookies\index.dat

C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat

C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat

2.c) nnpnvxjy.exe - Windows Service Activities

	- Services Started:

RASMAN

2.d) nnpnvxjy.exe - Process Activities

	- Processes Created:

Executable	Command Line
	c:\d.exe
C:\WINDOWS\system32\cmd.exe	"C:\WINDOWS\system32\cmd.exe" /c del C:\nnpnvxjy.exe > nul

	- Thread Overview:

Time	Number of threads
After 21 seconds	1

2.e) nnpnvxjy.exe - Network Activity

	- DNS Queries:

Name	Query Type	Query Result	Successful	Protocol
aevqritikn.com	DNS_TYPE_A	85.255.121.196	1
aarmrgdxrv.com	DNS_TYPE_A	85.255.121.195	1

	- HTTP Conversations:

From SandBox:1034 to 85.255.121.196:80 - [aevqritikn.com]
Request: GET /uniq.php?id=1824245000
Response: 200 "OK"
From SandBox:1035 to 85.255.121.195:80 - [aarmrgdxrv.com]
Request: GET /ddos.txt
Response: 200 "OK"

	- TCP Connection Attempts:

from 85.114.143.208:65520 to SandBox:1034

2.f) nnpnvxjy.exe - Other Activities

	- Mutexes Created:

CTF.TimListCache.FMPDefaultS-1-5-21-1229272821-1004336348-527237240-1003MUTEX.DefaultS-1-5-21-1229272821-1004336348-527237240-1003

Local\WininetConnectionMutex

Local\ZoneAttributeCacheCounterMutex

Local\c:!documents and settings!user!cookies!

Local\c:!documents and settings!user!local settings!history!history.ie5!

Local\c:!documents and settings!user!local settings!temporary internet files!content.ie5!

	- Windows SEH exceptions:

Description	Times
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x4014bc	1

3. services.exe

	- General information about this executable

Analysis Reason:	NtConnectPort(\RPC Control\ntsvcs was called.
Filename:	services.exe
MD5:	c6ce6eec82f187615d1002bb3bb50ed4
SHA-1:	b958912d139cb8dbfeeacdd38ba048c4f452174e
File Size:	108032 Bytes
Command Line:	C:\WINDOWS\system32\services.exe
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000B0000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F5000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00090000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00047000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B3000
C:\WINDOWS\system32\SCESRV.dll	0x758E0000	0x00050000
C:\WINDOWS\system32\AUTHZ.dll	0x776C0000	0x00011000
C:\WINDOWS\system32\umpnpmgr.dll	0x7DBA0000	0x00021000
C:\WINDOWS\system32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00054000
C:\WINDOWS\system32\NCObjAPI.DLL	0x5F770000	0x0000C000
C:\WINDOWS\system32\MSVCP60.dll	0x76080000	0x00065000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00815000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\eventlog.dll	0x77B70000	0x00011000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\PSAPI.DLL	0x76BF0000	0x0000B000
C:\WINDOWS\system32\wtsapi32.dll	0x76F50000	0x00008000

3.a) services.exe - Registry Activities

	- Registry Keys Created:

HKLM\System\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control

HKLM\System\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control

HKLM\System\CurrentControlSet\Enum\Root\LEGACY_BITS\0000\Control

	- Registry Values Modified:

Key	Name	New Value
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_BITS\0000\Control	ActiveService	BITS
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control	ActiveService	RasMan
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control	ActiveService	TapiSrv
HKLM\System\CurrentControlSet\Services\BITS	Start	3

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0303\4&2C5A7332&0	ClassGUID	{4D36E96B-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0400\4&2C5A7332&0	ClassGUID	{4D36E978-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0501\1	ClassGUID	{4D36E978-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0700\4&2C5A7332&0	ClassGUID	{4D36E969-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0A03\1	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0F13\4&2C5A7332&0	ClassGUID	{4D36E96F-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI_HAL\PNP0C08\0	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\DISPLAY\DEFAULT_MONITOR\4&2946A9FF&0&11223344&00&02	ClassGUID	{4D36E96E-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\IDE\CDROMQEMU_QEMU_CD-ROM________________________0.9.____\4D51303030302033202020202020202020202020	ClassGUID	{4D36E965-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\IDE\DISKQEMU_HARDDISK___________________________0.9.0___\4D51303030302031202020202020202020202020	ClassGUID	{4D36E967-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ISAPNP\READDATAPORT\0	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\LPTENUM\MICROSOFTRAWPORT\5&34A37E9F&0&LPT1	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\PCIIDE\IDECHANNEL\4&3DE75EA&0&0	ClassGUID	{4D36E96A-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\PCIIDE\IDECHANNEL\4&3DE75EA&0&1	ClassGUID	{4D36E96A-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_1013&DEV_00B8&SUBSYS_00000000&REV_00\3&13C0B0C5&0&10	ClassGUID	{4D36E968-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\3&13C0B0C5&0&18	ClassGUID	{4D36E972-E325-11CE-BFC1-08002BE10318}	2
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\3&13C0B0C5&0&18	DeviceDesc	Realtek RTL8029(AS)-based Ethernet Adapter (Generic)	2
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\3&13C0B0C5&0&18	Driver	{4D36E972-E325-11CE-BFC1-08002BE10318}\0001	2
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_1237&SUBSYS_00000000&REV_02\3&13C0B0C5&0&00	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_7000&SUBSYS_00000000&REV_00\3&13C0B0C5&0&08	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_7010&SUBSYS_00000000&REV_00\3&13C0B0C5&0&09	ClassGUID	{4D36E96A-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\ACPI_HAL\0000	ClassGUID	{4D36E966-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\DMIO\0000	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\FTDISK\0000	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_AFD\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_BEEP\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_DMBOOT\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_DMLOAD\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_FIPS\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_GPC\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_HTTP\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_IPNAT\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_IPSEC\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_KSECDD\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_MNMDD\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_MOUNTMGR\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDISTAPI\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDISUIO\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDIS\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDPROXY\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NETBT\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NULL\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_PARTMGR\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_PARVDM\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_RASACD\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_RDPCDD\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_TCPIP\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_VGASAVE\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_VOLSNAP\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_WANARP\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMACM	ClassGUID	{4D36E96C-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMDRV	ClassGUID	{4D36E96C-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMMCI	ClassGUID	{4D36E96C-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMVCD	ClassGUID	{4D36E96C-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMVID	ClassGUID	{4D36E96C-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MODEM\0000	Capabilities	0	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MODEM\0000	ClassGUID	{4D36E96D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MODEM\0000	ConfigFlags	0	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MODEM\0000	Driver	{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000	2
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_L2TPMINIPORT\0000	ClassGUID	{4D36E972-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANIP\0000	ClassGUID	{4D36E972-E325-11CE-BFC1-08002BE10318}	2
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANIP\0000	DeviceDesc	WAN Miniport (IP)	2
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANIP\0000	Driver	{4D36E972-E325-11CE-BFC1-08002BE10318}\0008	2
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PPPOEMINIPORT\0000	ClassGUID	{4D36E972-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PPTPMINIPORT\0000	ClassGUID	{4D36E972-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PSCHEDMP\0000	ClassGUID	{4D36E972-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PSCHEDMP\0001	ClassGUID	{4D36E972-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PTIMINIPORT\0000	ClassGUID	{4D36E972-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDPDR\0000	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDP_KBD\0000	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDP_MOU\0000	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0000	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0001	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0002	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0003	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0004	ClassGUID	{4D36E97D-E325-11CE-BFC1-08002BE10318}	1
HKLM\SYSTEM\CONTROLSET001\ENUM\STORAGE\VOLUME\1&30A96598&0&SIGNATURE95619561OFFSET7E00LENGTH13F291800	ClassGUID	{71A27CDD-812A-11D0-BEC7-08002BE2092F}	1
HKLM\SYSTEM\CONTROLSET001\SERVICES\BITS\Enum	0	Root\LEGACY_BITS\0000	3
HKLM\SYSTEM\CONTROLSET001\SERVICES\BITS\Enum	Count	1	6
HKLM\SYSTEM\CONTROLSET001\SERVICES\PlugPlay	PlugPlayServiceType	3	1
HKLM\SYSTEM\CONTROLSET001\SERVICES\RasMan\Enum	0	Root\LEGACY_RASMAN\0000	3
HKLM\SYSTEM\CONTROLSET001\SERVICES\RasMan\Enum	Count	1	6
HKLM\SYSTEM\CONTROLSET001\SERVICES\RpcSs\Enum	0	Root\LEGACY_RPCSS\0000	2
HKLM\SYSTEM\CONTROLSET001\SERVICES\RpcSs\Enum	Count	1	4
HKLM\SYSTEM\CONTROLSET001\SERVICES\TapiSrv\Enum	0	Root\LEGACY_TAPISRV\0000	2
HKLM\SYSTEM\CONTROLSET001\SERVICES\TapiSrv\Enum	Count	1	4
HKLM\System\CurrentControlSet\Services\BITS	ImagePath	%SystemRoot%\system32\svchost.exe -k netsvcs	1
HKLM\System\CurrentControlSet\Services\BITS	ObjectName	LocalSystem	2
HKLM\System\CurrentControlSet\Services\BITS	Start	3	2
HKLM\System\CurrentControlSet\Services\PlugPlay	ObjectName	LocalSystem	1
HKLM\System\CurrentControlSet\Services\RasMan	ImagePath	%SystemRoot%\system32\svchost.exe -k netsvcs	1
HKLM\System\CurrentControlSet\Services\RasMan	ObjectName	LocalSystem	2
HKLM\System\CurrentControlSet\Services\RpcSs	ObjectName	NT AUTHORITY\NetworkService	2
HKLM\System\CurrentControlSet\Services\TapiSrv	ImagePath	%SystemRoot%\System32\svchost.exe -k netsvcs	1
HKLM\System\CurrentControlSet\Services\TapiSrv	ObjectName	LocalSystem	2

3.b) services.exe - File Activities

	- Files Read:

C:\ntsvcs, Flags: Named pipe

	- Files Modified:

C:\WINDOWS\system32\config\AppEvent.Evt

C:\WINDOWS\system32\config\SysEvent.Evt

C:\ntsvcs, Flags: Named pipe

	- File System Control Communication:

File	Control Code	Times
C:\net\NtControlPipe4, Flags: Named pipe	0x0011C017	3
C:\ntsvcs, Flags: Named pipe	0x0011001C	4

3.c) services.exe - Process Activities

	- Thread Overview:

Time	Number of threads
After 46 seconds	1
After 108 seconds	0
After 111 seconds	1

4. d.exe

	- General information about this executable

Analysis Reason:	Started by nnpnvxjy.exe
Filename:	d.exe
Command Line:	c:\d.exe
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000B0000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F5000
C:\WINDOWS\system32\user32.dll	0x7E410000	0x00090000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00047000
C:\WINDOWS\system32\oleaut32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\shell32.dll	0x7C9C0000	0x00815000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\xpsp2res.dll	0x20000000	0x002C5000
C:\WINDOWS\system32\iertutil.dll	0x42990000	0x00045000
C:\WINDOWS\system32\urlmon.dll	0x42CF0000	0x00124000
C:\WINDOWS\system32\netapi32.dll	0x5B860000	0x00054000
C:\WINDOWS\system32\qmgrprxy.dll	0x5DDC0000	0x00009000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004B000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000
C:\WINDOWS\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000

4.a) d.exe - Registry Activities

	- Registry Values Modified:

Key	Name	New Value
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	UA12700
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	UQTUJTHOCM
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Common Desktop	C:\Documents and Settings\All Users\Desktop
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Common Documents	C:\Documents and Settings\All Users\Documents
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d14d83ce-7d74-11dc-97e2-806d6172696f}\	BaseClass	Drive
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d14d83cf-7d74-11dc-97e2-806d6172696f}\	BaseClass	Drive
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\user\Local Settings\Temporary Internet Files
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cookies	C:\Documents and Settings\user\Cookies
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Desktop	C:\Documents and Settings\user\Desktop
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Personal	C:\Documents and Settings\user\My Documents
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AutoDetect	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IntranetName	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ProxyBypass	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	UNCAsIntranet	1

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\CLASSES\.ADE		Access.ADEFile.11	1
HKLM\SOFTWARE\CLASSES\.ADP		Access.Project.11	1
HKLM\SOFTWARE\CLASSES\.ASP		aspfile	1
HKLM\SOFTWARE\CLASSES\.BAT		batfile	1
HKLM\SOFTWARE\CLASSES\.CER		CERFile	1
HKLM\SOFTWARE\CLASSES\.CHM		chm.file	1
HKLM\SOFTWARE\CLASSES\.CMD		cmdfile	1
HKLM\SOFTWARE\CLASSES\.COM		comfile	1
HKLM\SOFTWARE\CLASSES\.CPL		cplfile	1
HKLM\SOFTWARE\CLASSES\.CRT		CERFile	1
HKLM\SOFTWARE\CLASSES\.EXE		exefile	3
HKLM\SOFTWARE\CLASSES\APPID\{69AD4AEE-51BE-439B-A92C-86AE490E8B30}	LocalService	BITS	1
HKLM\SOFTWARE\CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\INPROCSERVER32		%SystemRoot%\system32\SHELL32.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{4991D34B-80A1-4291-83B6-3328366B9097}	AppID	{69AD4AEE-51BE-439b-A92C-86AE490E8B30}	1
HKLM\SOFTWARE\CLASSES\CLSID\{5CE34C0D-0DC9-4C1F-897C-DAA1B78CEE7C}\INPROCSERVER32		C:\WINDOWS\system32\qmgrprxy.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{5CE34C0D-0DC9-4C1F-897C-DAA1B78CEE7C}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\INPROCSERVER32		C:\WINDOWS\system32\urlmon.dll	3
HKLM\SOFTWARE\CLASSES\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\INPROCSERVER32		shell32.dll	1
HKLM\SOFTWARE\CLASSES\DIRECTORY	AlwaysShowExt		1
HKLM\SOFTWARE\CLASSES\DRIVE\SHELLEX\FOLDEREXTENSIONS\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}	DriveMask	32	1
HKLM\SOFTWARE\CLASSES\EXEFILE\SHELL\OPEN\COMMAND		"%1" %*	2
HKLM\SOFTWARE\CLASSES\INTERFACE\{37668D37-507E-4160-9316-26306D150B12}\PROXYSTUBCLSID32		{5CE34C0D-0DC9-4C1F-897C-DAA1B78CEE7C}	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{5CE34C0D-0DC9-4C1F-897C-DAA1B78CEE7C}\PROXYSTUBCLSID32		{5CE34C0D-0DC9-4C1F-897C-DAA1B78CEE7C}	1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EnablePunycode	1	1
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	2
HKLM\Software\Microsoft\COM3	Com+Enabled	1	2
HKLM\Software\Microsoft\COM3	REGDBVersion	0x0f00000000000000	8
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks	{AEB6717E-7E19-11d0-97EE-00C04FD91972}		1
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Common Desktop	%ALLUSERSPROFILE%\Desktop	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Common Documents	%ALLUSERSPROFILE%\Documents	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\msn.com			1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\msn.com\related	http	4	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	USER	3
HKLM\System\Setup	SystemSetupInProgress	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\	ShellState	0x2400000033880000000000000000000000000000010000000d0000000000	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	DontPrettyPath	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Filter	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Hidden	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	HideFileExt	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	HideIcons	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	MapNetDrvBtn	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	NoNetCrawling	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	SeparateProcess	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowCompColor	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowInfoTip	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowSuperHidden	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	WebView	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d14d83ce-7d74-11dc-97e2-806d6172696f}\	Data	0x000000005c005c003f005c0049004400450023004300640052006f006d00	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d14d83ce-7d74-11dc-97e2-806d6172696f}\	Generation	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d14d83cf-7d74-11dc-97e2-806d6172696f}\	Data	0x000000005c005c003f005c00530054004f00520041004700450023005600	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d14d83cf-7d74-11dc-97e2-806d6172696f}\	Generation	1	5
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\user\Local Settings\Temporary Internet Files	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Cache	%USERPROFILE%\Local Settings\Temporary Internet Files	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Cookies	%USERPROFILE%\Cookies	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Desktop	%USERPROFILE%\Desktop	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Personal	%USERPROFILE%\My Documents	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\			1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	@ivt	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	file	3	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	ftp	3	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	http	3	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	https	3	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	shell	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	1806	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	Flags	33	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	Flags	475	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	Flags	71	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	Flags	1	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	Flags	3	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\ShellNoRoam		USER	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache	LangID	0x0904	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\	C:\WINDOWS\system32\cmd.exe	Windows Command Processor	1

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\Software\Classes	1	Key Change,Value Change	4
HKLM\Software\Classes\CLSID	1	Key Change,Value Change	2
HKLM\Software\Microsoft\COM3	1	Key Change,Value Change	6
HKU	1	Key Change,Value Change	3

4.b) d.exe - File Activities

	- Files Created:

C:\DOCUME~1\user\LOCALS~1\Temp\tmp.tmp

	- Files Read:

C:\Documents and Settings\All Users\Documents\desktop.ini

C:\Documents and Settings\user\My Documents\desktop.ini

C:\WINDOWS\Registration\R00000000000f.clb

PIPE\lsarpc

PIPE\wkssvc

c:\d.exe

	- Files Modified:

MountPointManager

PIPE\lsarpc

PIPE\wkssvc

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	16
PIPE\wkssvc	0x0011C017	1

	- Device Control Communication:

File	Control Code	Times
IDE#CdRomQEMU_QEMU_CD-ROM________________________0.9.____#4d51303030302033202020202020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	0x004D0008	1
MountPointManager	0x006D0008	2
STORAGE#Volume#1&30a96598&0&Signature95619561Offset7E00Length13F291800#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	0x004D0008	1
MountPointManager	0x006D0034	4

	- Memory Mapped Files:

File Name

C:\DOCUME~1\user\LOCALS~1\Temp\tmp.tmp

C:\WINDOWS\system32\regsvr32.exe

C:\WINDOWS\system32\rpcss.dll

C:\WINDOWS\system32\winlogon.exe

C:\Windows\AppPatch\sysmain.sdb

4.c) d.exe - Process Activities

	- Processes Created:

Executable	Command Line
C:\DOCUME~1\user\LOCALS~1\Temp\tmp.tmp
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\cmd.exe	"C:\WINDOWS\system32\cmd.exe" /c del c:\d.exe >> NUL

	- Remote Threads Created:

Affected Process

C:\DOCUME~1\user\LOCALS~1\Temp\tmp.tmp

C:\WINDOWS\system32\regsvr32.exe

	- Thread Overview:

Time	Number of threads
After 155 seconds	1

	- Foreign Memory Regions Read:

Process: C:\DOCUME~1\user\LOCALS~1\Temp\tmp.tmp

Process: C:\WINDOWS\system32\regsvr32.exe

5. tmp.tmp

	- General information about this executable

Analysis Reason:	Started by d.exe
Filename:	tmp.tmp
MD5:	1b06a7cf662faf4ff8f900ebef8095ad
SHA-1:	84540bc4b744bae0b9fa75e06295475675aba96b
File Size:	18432 Bytes
Command Line:	C:\DOCUME~1\user\LOCALS~1\Temp\tmp.tmp
Process-status at analysis end:	dead
Exit Code:	-1073741819

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000B0000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F5000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00054000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\faultrep.dll	0x69450000	0x00016000
C:\WINDOWS\system32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B3000
C:\WINDOWS\system32\WTSAPI32.dll	0x76F50000	0x00008000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00047000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\shell32.dll	0x7C9C0000	0x00815000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00090000

	- Ikarus Virus Scanner

Trojan.Peed (Sig-Id:15988902)

5.a) tmp.tmp - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\Software\Microsoft\PCHealth\ErrorReporting	AllOrNone	1	1
HKLM\Software\Microsoft\PCHealth\ErrorReporting	DoReport	1	1
HKLM\Software\Microsoft\PCHealth\ErrorReporting	IncludeKernelFaults	1	1
HKLM\Software\Microsoft\PCHealth\ErrorReporting	IncludeMicrosoftApps	1	1
HKLM\Software\Microsoft\PCHealth\ErrorReporting	IncludeWindowsApps	1	1
HKLM\Software\Microsoft\PCHealth\ErrorReporting	ShowUI	1	1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug	Auto	1	1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug	Debugger	drwtsn32 -p %ld -e %ld -g	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	USER	1
HKLM\System\Setup	SystemSetupInProgress	0	1

5.b) tmp.tmp - File Activities

	- Files Created:

C:\DOCUME~1\user\LOCALS~1\Temp\e3b4_appcompat.txt

	- Files Read:

C:\DOCUME~1\user\LOCALS~1\Temp\Adobe Reader 8\AcroRead.msi

PIPE\lsarpc

	- Files Modified:

C:\DOCUME~1\user\LOCALS~1\Temp\e3b4_appcompat.txt

PIPE\lsarpc

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	6

	- Memory Mapped Files:

File Name

C:\DOCUME~1\user\LOCALS~1\Temp\Adobe Reader 8\AcroRead.msi

C:\DOCUME~1\user\LOCALS~1\Temp\Adobe Reader 8\Setup.exe

C:\WINDOWS\system32\kernel32.dll

5.c) tmp.tmp - Process Activities

	- Processes Created:

Executable	Command Line
	C:\WINDOWS\system32\dwwin.exe -x -s 156
	C:\WINDOWS\system32\drwtsn32 -p 1780 -e 120 -g

	- Thread Overview:

Time	Number of threads
After 175 seconds	0

5.d) tmp.tmp - Other Activities

	- Windows SEH exceptions:

Description	Times
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x44822c	1

6. cmd.exe

	- General information about this executable

Analysis Reason:	Started by nnpnvxjy.exe
Filename:	cmd.exe
MD5:	eeb024f2c81f0d55936fb825d21a91d6
SHA-1:	dd47ff16176412ec2e170cda441b4a220ff52f46
File Size:	388608 Bytes
Command Line:	"C:\WINDOWS\system32\cmd.exe" /c del C:\nnpnvxjy.exe > nul
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000B0000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F5000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00090000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00047000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00815000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B3000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

6.a) cmd.exe - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\Software\Microsoft\Command Processor	AutoRun		1
HKLM\Software\Microsoft\Command Processor	CompletionChar	64	1
HKLM\Software\Microsoft\Command Processor	DefaultColor	0	1
HKLM\Software\Microsoft\Command Processor	EnableExtensions	1	1
HKLM\Software\Microsoft\Command Processor	PathCompletionChar	64	1
HKLM\System\CurrentControlSet\Control\Nls\Language Groups	1	1	1
HKLM\System\CurrentControlSet\Control\Nls\Locale	00000409	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Command Processor	CompletionChar	9	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Command Processor	DefaultColor	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Command Processor	EnableExtensions	1	1

6.b) cmd.exe - File Activities

	- Files Deleted:

C:\nnpnvxjy.exe

	- Files Modified:

nul

7. dwwin.exe

	- General information about this executable

Analysis Reason:	Started by tmp.tmp
Filename:	dwwin.exe
MD5:	7c25440617eee6f69709aa8c915d2c32
SHA-1:	40747172146706013a3334d475b5df0116c56643
File Size:	180224 Bytes
Command Line:	C:\WINDOWS\system32\dwwin.exe -x -s 156
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000B0000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F5000
C:\WINDOWS\system32\ADVAPI32.DLL	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\COMCTL32.DLL	0x5D090000	0x0009A000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00047000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00090000
C:\WINDOWS\system32\OLEAUT32.DLL	0x77120000	0x0008B000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\SHELL32.DLL	0x7C9C0000	0x00815000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\URLMON.DLL	0x42CF0000	0x00124000
C:\WINDOWS\system32\iertutil.dll	0x42990000	0x00045000
C:\WINDOWS\system32\VERSION.DLL	0x77C00000	0x00008000
C:\WINDOWS\system32\WININET.DLL	0x42C10000	0x000CF000
C:\WINDOWS\system32\Normaliz.dll	0x00400000	0x00009000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B3000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll	0x773D0000	0x00103000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\1033\dwintl.dll	0x314C0000	0x0000C000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00054000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\ws2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\sensapi.dll	0x722B0000	0x00005000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004B000
C:\WINDOWS\system32\riched20.dll	0x74E30000	0x0006C000
C:\WINDOWS\system32\shfolder.dll	0x76780000	0x00009000
C:\WINDOWS\system32\PSAPI.DLL	0x76BF0000	0x0000B000
C:\WINDOWS\system32\iphlpapi.dll	0x76D60000	0x00019000
C:\WINDOWS\system32\rtutils.dll	0x76E80000	0x0000E000
C:\WINDOWS\system32\rasman.dll	0x76E90000	0x00012000
C:\WINDOWS\system32\TAPI32.dll	0x76EB0000	0x0002F000
C:\WINDOWS\system32\RASAPI32.dll	0x76EE0000	0x0003C000
C:\WINDOWS\system32\msv1_0.dll	0x77C70000	0x00023000

	- Popups

Window Name

Window Text

tmp.tmp

&Don't Send tmp.tmp has encountered a problem and needs to close. We are sorry for the inconvenience. tmp.tmp has encountered a problem and needs to close. We are sorry for the inconvenience. If you were in the middle of something, the information you were working on might be lost. Please tell Microsoft about this problem. We have created an error report that you can send to us. We will treat this report as confidential and anonymous. To see what data this error report contains, Details &Send Error Report

7.a) dwwin.exe - Registry Activities

	- Registry Values Modified:

Key	Name	New Value
HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings	ProxyEnable	0
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Common AppData	C:\Documents and Settings\All Users\Application Data
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	AppData	C:\Documents and Settings\user\Application Data
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\user\Local Settings\Temporary Internet Files
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cookies	C:\Documents and Settings\user\Cookies
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	History	C:\Documents and Settings\user\Local Settings\History
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Personal	C:\Documents and Settings\user\My Documents
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings	MigrateProxy	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings	ProxyEnable	0
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	SavedLegacySettings	0x460000006000000001000000000000000000000000000000040000000000

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	UrlEncoding	0x00000000	2
HKLM\Software\Microsoft\Rpc\SecurityService	10	secur32.dll	1
HKLM\Software\Microsoft\Tracing	EnableConsoleTracing	0	1
HKLM\Software\Microsoft\Tracing\RASAPI32	ConsoleTracingMask	4294901760	2
HKLM\Software\Microsoft\Tracing\RASAPI32	EnableConsoleTracing	0	2
HKLM\Software\Microsoft\Tracing\RASAPI32	EnableFileTracing	0	2
HKLM\Software\Microsoft\Tracing\RASAPI32	FileDirectory	%windir%\tracing	4
HKLM\Software\Microsoft\Tracing\RASAPI32	FileTracingMask	4294901760	2
HKLM\Software\Microsoft\Tracing\RASAPI32	MaxFileSize	1048576	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion	DigitalProductId	0xa40000000300000037363438372d3333372d383432393935352d32323631	1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug	Debugger	drwtsn32 -p %ld -e %ld -g	4
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	AllUsersProfile	All Users	3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	DefaultUserProfile	Default User	3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	ProfilesDirectory	%SystemDrive%\Documents and Settings	6
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1229272821-1004336348-527237240-1003	ProfileImagePath	%SystemDrive%\Documents and Settings\user	3
HKLM\Software\Microsoft\Windows\CurrentVersion	CommonFilesDir	C:\Program Files\Common Files	4
HKLM\Software\Microsoft\Windows\CurrentVersion	ProgramFilesDir	C:\Program Files	4
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Common AppData	%ALLUSERSPROFILE%\Application Data	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	PerUserItem	1	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	PerUserItem	1	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	PerUserItem	1	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	USER	6
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll	Capabilities	16464	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll	Comment	Digest SSPI Authentication Package	2
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll	Name	Digest	2
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll	RpcId	65535	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll	TokenSize	65535	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll	Type	49	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll	Version	1	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll	Capabilities	55	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll	Comment	DPA Security Package	2
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll	Name	DPA	2
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll	RpcId	17	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll	TokenSize	768	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll	Type	49	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll	Version	1	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll	Capabilities	55	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll	Comment	MSN Security Package	2
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll	Name	MSN	2
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll	RpcId	18	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll	TokenSize	768	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll	Type	49	1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll	Version	1	1
HKLM\System\CurrentControlSet\Control\SecurityProviders	SecurityProviders	msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll	2
HKLM\System\CurrentControlSet\Control\SecurityProviders\SaslProfiles	GSSAPI	Kerberos	1
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	ComSpec	%SystemRoot%\system32\cmd.exe	6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	FP_NO_HOST_CHECK	NO	6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	NUMBER_OF_PROCESSORS	1	6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	OS	Windows_NT	6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH	6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_ARCHITECTURE	x86	6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_IDENTIFIER	x86 Family 6 Model 3 Stepping 3, GenuineIntel	6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_LEVEL	6	6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_REVISION	0303	6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	Path	%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem	6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	TEMP	%SystemRoot%\TEMP	6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	TMP	%SystemRoot%\TEMP	6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	_NT_SYMBOL_PATH	srvC:\Symbolshttp://msdl.microsoft.com/download/symbols	6
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	windir	%SystemRoot%	6
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1012	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	11	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\Setup	SystemSetupInProgress	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Environment	TEMP	%USERPROFILE%\Local Settings\Temp	6
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Environment	TMP	%USERPROFILE%\Local Settings\Temp	6
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS	EnableHttp1_1	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS	EnableNegotiate	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS	MimeExclusionListForCache	multipart/mixed multipart/x-mixed-replace multipart/x-byteranges	4
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS	SecureProtocols	160	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS	WarnOnPost	0x01000000	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS	WarnOnZoneCrossing	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	CertificateRevocation	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	DisableCachingOfSSLPages	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Internet Explorer\Settings	Anchor Color	0,0,255	4
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon	ParseAutoexec	1	3
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	AppData	%USERPROFILE%\Application Data	3
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Cache	%USERPROFILE%\Local Settings\Temporary Internet Files	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Cookies	%USERPROFILE%\Cookies	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	History	%USERPROFILE%\Local Settings\History	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Personal	%USERPROFILE%\My Documents	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache	Signature	Client UrlCache MMF Ver 5.2	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	CacheLimit	163410	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	CachePrefix		2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	CacheLimit	8192	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	CachePrefix	Cookie:	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022	CacheLimit	8192	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022	CacheOptions	11	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022	CachePath	%USERPROFILE%\Local Settings\History\History.IE5\MSHist012007101520071022	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022	CachePrefix	:2007101520071022:	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022	CacheRepair	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029	CacheLimit	8192	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029	CacheOptions	11	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029	CachePath	%USERPROFILE%\Local Settings\History\History.IE5\MSHist012007102220071029	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029	CachePrefix	:2007102220071029:	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029	CacheRepair	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102	CacheLimit	8192	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102	CacheOptions	11	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102	CachePath	%USERPROFILE%\Local Settings\History\History.IE5\MSHist012007110120071102	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102	CachePrefix	:2007110120071102:	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102	CacheRepair	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CacheLimit	1000	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CacheOptions	8	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CachePath	%USERPROFILE%\UserData	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CachePrefix	UserData	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CacheRepair	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CacheLimit	8192	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CacheOptions	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CachePath	%USERPROFILE%\Local Settings\Application Data\Microsoft\Feeds Cache	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CachePrefix	feedplat:	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CacheRepair	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	CacheLimit	8192	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	CachePrefix	Visited:	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings	MigrateProxy	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings	ProxyEnable	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	DefaultConnectionSettings	0x3c0000000200000001000000000000000000000000000000040000000000	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	SavedLegacySettings	0x460000005f00000001000000000000000000000000000000040000000000	4
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	APPDATA	C:\Documents and Settings\user\Application Data	6
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	CLIENTNAME	Console	6
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	HOMEDRIVE	C:	6
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	HOMEPATH	\Documents and Settings\user	6
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	HOMESHARE		6
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	LOGONSERVER	\\USER	6
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment	SESSIONNAME	Console	6

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\Software\Microsoft\Tracing\RASAPI32	0	Attributes Change,Value Change,Security Descriptor Change	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1

7.b) dwwin.exe - File Activities

	- Files Deleted:

C:\DOCUME~1\user\LOCALS~1\Temp\41FF8.dmp

C:\DOCUME~1\user\LOCALS~1\Temp\e3b4_appcompat.txt

	- Files Created:

C:\DOCUME~1\user\LOCALS~1\Temp\41FF8.dmp

	- Files Read:

C:\DOCUME~1\user\LOCALS~1\Temp\tmp.tmp

C:\WINDOWS\win.ini

PIPE\ROUTER

PIPE\lsarpc

c:\autoexec.bat

	- Files Modified:

PIPE\ROUTER

PIPE\lsarpc

	- File System Control Communication:

File	Control Code	Times

Analysis Report

Table of Contents

5.a) tmp.tmp - Registry Activities