Download Link: hxxp://mmcodecs.com/download/47jxf/mmcodec.exe File Name: mmcodec.exe VirusTotal Result: 12/32 (37.5%) AntiVir 7.6.0.81 2008.04.09 TR/Crypt.XDR.Gen Avast 4.8.1169.0 2008.04.09 Win32:Burner-E AVG 7.5.0.516 2008.04.09 Downloader.Zlob.VKU BitDefender 7.2 2008.04.09 MemScan:Adware.Hoax.Renos.AP Fortinet 3.14.0.0 2008.04.09 W32/Dloader.XWH!tr Ikarus T3.1.1.26.0 2008.04.09 Trojan.Crypt.XDR Kaspersky 7.0.0.125 2008.04.09 not-virus:Hoax.Win32.Burner.a Norman 5.80.02 2008.04.09 W32/Renos.QJ.dropper Panda 9.0.0.4 2008.04.08 Suspicious file Prevx1 V2 2008.04.09 Trojan.Ecodec Sophos 4.28.0 2008.04.09 Mal/EncPk-CO Webwasher-Gateway 6.6.2 2008.04.09 Trojan.Crypt.XDR.Gen File nfo: File size: 169984 bytes MD5...: df6b1c191764ef62a751a2e6ca6fda96 SHA1..: df767c72ae5f9599714283df3e2c1ca90b9c289a SHA256: 4e9e0697658095ec3315577052166bb7ffb8d33f6175d513a744fd51474de126 SHA512: b4cea3554054b92339cd48cef49ca60e6ada8327c438b3b58216d56d27d6ad9d 6495a9ff2b8c03ee15ca0e628c6ac4df2752ce79753c39a32d7cf7367dd9becc PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0002 Time/Date stamp: 47F99438 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 0103 Magic: 010B Linker version (major): 08 Linker version (minor): 00 Size of code: 00021A00 Size of initialized data: 00000200 Size of uninitialized data: 00000000 Address of entry point: 00001000 Base of code: 00001000 Base of data: 00023000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00024000 Size of headers: 00000400 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0600 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags .text 000219FC 00001000 00021A00 00000400 E0000020 .rdata 00000166 00023000 00000200 00021E00 40000040 Import table (libraries: 2) ntdll.dll (imports: 6) wcslen _wcsicmp NtProtectVirtualMemory NtUnmapViewOfSection NtMapViewOfSection memcpy KERNEL32.dll (imports: 4) GetProcAddress LoadLibraryW GetCurrentProcess GetModuleHandleA .text:00401000 ; Format : Portable executable for 80386 (PE) .text:00401000 ; Imagebase : 400000 .text:00401000 ; Section 1. (virtual address 00001000) .text:00401000 ; Virtual size : 00026000 ( 155648.) .text:00401000 ; Section size in file : 00025800 ( 153600.) .text:00401000 ; Offset to raw data for section: 00000400 .text:00401000 ; Flags E0000020: Text Executable Readable Writable .text:00401000 ; Alignment : default .text:00401000 .text:00401000 .686p .text:00401000 .mmx .text:00401000 .model flat Load Time DLL: Module Name Base Address Size C:\WINDOWS\system32\ntdll.dll 0x7C900000 0x000B0000 C:\WINDOWS\system32\kernel32.dll 0x7C800000 0x000F5000 C:\WINDOWS\system32\user32.dll 0x7E410000 0x00090000 C:\WINDOWS\system32\GDI32.dll 0x77F10000 0x00047000 C:\WINDOWS\system32\SHELL32.dll 0x7C9C0000 0x00815000 C:\WINDOWS\system32\ADVAPI32.dll 0x77DD0000 0x0009B000 C:\WINDOWS\system32\RPCRT4.dll 0x77E70000 0x00092000 C:\WINDOWS\system32\Secur32.dll 0x77FE0000 0x00011000 C:\WINDOWS\system32\msvcrt.dll 0x77C10000 0x00058000 C:\WINDOWS\system32\SHLWAPI.dll 0x77F60000 0x00076000 C:\WINDOWS\system32\IMM32.DLL 0x76390000 0x0001D000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll 0x773D0000 0x00103000 C:\WINDOWS\system32\comctl32.dll 0x5D090000 0x0009A000 Run Time DLL: Module Name Base Address Size C:\WINDOWS\system32\iertutil.dll 0x42990000 0x00045000 C:\WINDOWS\system32\urlmon.dll 0x42CF0000 0x00124000 C:\WINDOWS\system32\ieframe.dll 0x42EF0000 0x005CB000 C:\WINDOWS\system32\UxTheme.dll 0x5AD70000 0x00038000 C:\WINDOWS\system32\netapi32.dll 0x5B860000 0x00054000 C:\WINDOWS\system32\MSCTF.dll 0x74720000 0x0004B000 C:\WINDOWS\system32\msctfime.ime 0x755C0000 0x0002E000 C:\WINDOWS\system32\PSAPI.DLL 0x76BF0000 0x0000B000 C:\WINDOWS\system32\CLBCATQ.DLL 0x76FD0000 0x0007F000 C:\WINDOWS\system32\COMRes.dll 0x77050000 0x000C5000 C:\WINDOWS\system32\OLEAUT32.DLL 0x77120000 0x0008B000 C:\WINDOWS\system32\ole32.dll 0x774E0000 0x0013D000 C:\WINDOWS\system32\SETUPAPI.dll 0x77920000 0x000F3000 C:\WINDOWS\system32\Apphelp.dll 0x77B40000 0x00022000 C:\WINDOWS\system32\version.dll 0x77C00000 0x00008000 Popup WIndow: Window Name Window Text Runtime error OK Unsupported Operating System Version Registry Changes: Key Name New Value HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common Desktop C:\Documents and Settings\All Users\Desktop HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common Documents C:\Documents and Settings\All Users\Documents HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Explorer\MountPoints2\ {d14d83ce-7d74-11dc-97e2-806d6172696f}\ BaseClass Drive HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Explorer\MountPoints2\ {d14d83cf-7d74-11dc-97e2-806d6172696f}\ BaseClass Drive HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cache C:\Documents and Settings\user\Local Settings\Temporary Internet Files HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cookies C:\Documents and Settings\user\Cookies HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Desktop C:\Documents and Settings\user\Desktop HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Personal C:\Documents and Settings\user\My Documents HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ AutoDetect 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ IntranetName 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ProxyBypass 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ UNCAsIntranet 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\ C:\1.bat 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\ C:\WINDOWS\comsysobj.exe comsysobj HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\ C:\WINDOWS\hllibex.exe hllibex HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\ C:\WINDOWS\shellexcon.exe shellexcon HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\ C:\WINDOWS\win32st.exe win32st HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\ C:\WINDOWS\winstrse.exe winstrse Registry Reads: Key Name Value Times HKLM\SOFTWARE\CLASSES\.ADE Access.ADEFile.11 6 HKLM\SOFTWARE\CLASSES\.ADP Access.Project.11 6 HKLM\SOFTWARE\CLASSES\.ASP aspfile 6 HKLM\SOFTWARE\CLASSES\.BAT batfile 8 HKLM\SOFTWARE\CLASSES\.CER CERFile 5 HKLM\SOFTWARE\CLASSES\.CHM chm.file 5 HKLM\SOFTWARE\CLASSES\.CMD cmdfile 5 HKLM\SOFTWARE\CLASSES\.COM comfile 5 HKLM\SOFTWARE\CLASSES\.CPL cplfile 5 HKLM\SOFTWARE\CLASSES\.CRT CERFile 5 HKLM\SOFTWARE\CLASSES\.EXE exefile 11 HKLM\SOFTWARE\CLASSES\BATFILE\SHELL\OPEN\COMMAND "%1" %* 2 HKLM\SOFTWARE\CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\INPROCSERVER32 %SystemRoot%\system32\SHELL32.dll 2 HKLM\SOFTWARE\CLASSES\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\INPROCSERVER32 C:\WINDOWS\system32\urlmon.dll 2 HKLM\SOFTWARE\CLASSES\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\INPROCSERVER32 ThreadingModel Both 1 HKLM\SOFTWARE\CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\INPROCSERVER32 C:\WINDOWS\system32\ieframe.dll 2 HKLM\SOFTWARE\CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\INPROCSERVER32 ThreadingModel Apartment 1 HKLM\SOFTWARE\CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\SHELLFOLDER WantsParseDisplayName 1 HKLM\SOFTWARE\CLASSES\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\INPROCSERVER32 shell32.dll 6 HKLM\SOFTWARE\CLASSES\DIRECTORY AlwaysShowExt 1 HKLM\SOFTWARE\CLASSES\DRIVE\SHELLEX\FOLDEREXTENSIONS\{FBEB8A05-BEEE-4442-804E-409D6C4515E9} DriveMask 32 6 HKLM\SOFTWARE\CLASSES\EXEFILE\SHELL\OPEN\COMMAND "%1" %* 10 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings EnablePunycode 1 1 HKLM\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32 C:\WINDOWS\system32\ieframe.dll 1 HKLM\Software\Microsoft\COM3 Com+Enabled 1 4 HKLM\Software\Microsoft\COM3 REGDBVersion 0x0f00000000000000 4 HKLM\Software\Microsoft\CTF\SystemShared CUAS 0 1 HKLM\Software\Microsoft\Windows NT\CurrentVersion\IMM Ime File msctfime.ime 1 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation CutList 0x4100700070006c00690063006100740069006f006e002000460069006c00 12 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {AEB6717E-7E19-11d0-97EE-00C04FD91972} 6 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Common Desktop %ALLUSERSPROFILE%\Desktop 1 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Common Documents %ALLUSERSPROFILE%\Documents 1 HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\msn.com 1 HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\msn.com\related http 4 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ExecutableTypes 0x410044004500000041004400500000004200410053000000420041005400 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers TransparentEnabled 1 6 HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ComputerName USER 2 HKLM\System\Setup SystemSetupInProgress 0 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ ShellState 0x2400000033880000000000000000000000000000010000000d0000000000 2 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced DontPrettyPath 0 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Filter 0 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden 1 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HideFileExt 0 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HideIcons 0 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced MapNetDrvBtn 0 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced NoNetCrawling 0 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced SeparateProcess 0 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowCompColor 1 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowInfoTip 1 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden 1 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced WebView 0 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\ {d14d83ce-7d74-11dc-97e2-806d6172696f}\ Data 0x000000005c005c003f005c0049004400450023004300640052006f006d00 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\ {d14d83ce-7d74-11dc-97e2-806d6172696f}\ Generation 1 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\ {d14d83cf-7d74-11dc-97e2-806d6172696f}\ Data 0x000000005c005c003f005c00530054004f00520041004700450023005600 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\ {d14d83cf-7d74-11dc-97e2-806d6172696f}\ Generation 1 6 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Cache %USERPROFILE%\Local Settings\Temporary Internet Files 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Cookies %USERPROFILE%\Cookies 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Desktop %USERPROFILE%\Desktop 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Personal %USERPROFILE%\My Documents 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ @ivt 1 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ file 3 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ ftp 3 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ http 3 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ https 3 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ shell 0 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 1806 0 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Flags 33 2 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Flags 475 2 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Flags 71 2 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Flags 1 2 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Flags 3 2 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached {871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0x401 0x01000000310032003a893fef1312c801 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\ShellNoRoam USER 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache LangID 0x0904 Monitored Registry Values: Key Name Watch subtree Notify Filter Count HKLM\Software\Classes 1 Key Change,Value Change 6 HKLM\Software\Classes\CLSID 1 Key Change,Value Change 4 HKLM\Software\Microsoft\COM3 1 Key Change,Value Change 12 HKU 1 Key Change,Value Change 6 Files Created: C:\1.bat C:\WINDOWS\comsysobj.exe C:\WINDOWS\config.ini C:\WINDOWS\cracrwinz.exe C:\WINDOWS\hllibex.exe C:\WINDOWS\shellexcon.exe Files Read: C:\1.bat C:\Documents and Settings\All Users\Documents\desktop.ini C:\Documents and Settings\user\My Documents\desktop.ini C:\WINDOWS\Registration\R00000000000f.clb PIPE\lsarpc PIPE\wkssvc Files Monitored: MountPointManager PIPE\lsarpc PIPE\wkssvc FileSystem Control Communication: PIPE\wkssvc 0x0011C017 1 PIPE\lsarpc 0x0011C017 10 Device Control Communication: File Control Code Times IDE#CdRomQEMU_QEMU_CD-ROM________________________0.9.____#4d51303030302033202020202020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} 0x004D0008 1 MountPointManager 0x006D0008 2 STORAGE#Volume#1&30a96598&0&Signature95619561Offset7E00Length13F291800#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} 0x004D0008 1 MountPointManager 0x006D0034 4 WMIDataDevice 0x00228144 2 Memory Mapped: File Name C:\WINDOWS\system32\Msimtf.dll C:\WINDOWS\system32\rpcss.dll Process Created: Executable Command Line C:\WINDOWS\comsysobj.exe "C:\WINDOWS\comsysobj.exe" C:\WINDOWS\hllibex.exe "C:\WINDOWS\hllibex.exe" C:\WINDOWS\shellexcon.exe "C:\WINDOWS\shellexcon.exe" C:\WINDOWS\win32st.exe "C:\WINDOWS\win32st.exe" C:\WINDOWS\winstrse.exe "C:\WINDOWS\winstrse.exe" Mutex Created: CTF.TimListCache.FMPDefaultS-1-5-21- 1229272821-1004336348-527237240-1003MUTEX.DefaultS-1-5-21- 1229272821-1004336348-527237240-1003 Local\ZoneAttributeCacheCounterMutex MSCTF.Shared.MUTEX.AN Process Started: Filename: comsysobj.exe MD5: 17195c2104aee64b598aa815332bb6a4 SHA-1: 803d471f7b2c03f185c74444dd01309e82afe55c File Size: 25600 Bytes Command Line: "C:\WINDOWS\comsysobj.exe" Registry Changes: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SMSERIALWORKSTARTER "C:\WINDOWS\comsysobj.exe" File Read: C:\WINDOWS\config.ini Process Started: Filename: hllibex.exe MD5: 744fc079a188122a3710c1722cf30f55 SHA-1: 9468c1ccc72d1347b885ce17b1a8757ea4fc5b0e File Size: 20992 Bytes Command Line: "C:\WINDOWS\hllibex.exe" Process Started: Filename: shellexcon.exe MD5: 3fe0e32201f34616edb7447e976df470 SHA-1: 8bf1aaa5468b8ad3def3feb7c1337509ed98f51b File Size: 29184 Bytes Command Line: "C:\WINDOWS\shellexcon.exe" Registry Changes: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SMSERIALWORKERSTART "C:\WINDOWS\shellexcon.exe" Registry Read: HKLM\Software\Microsoft\CTF\SystemShared CUAS 0 1 HKLM\Software\Microsoft\Windows NT\CurrentVersion\IMM Ime File msctfime.ime File Read: C:\WINDOWS\config.ini Process Started: Filename: win32st.exe MD5: 7dfb42300357f7b50ba763497e6c41c7 SHA-1: 12da99a05a8dd561b44dce911251f517b0b3b149 File Size: 36864 Bytes Command Line: "C:\WINDOWS\win32st.exe" Registry Changes: Key Name New Value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SMSERIALSTARTER "C:\WINDOWS\win32st.exe" Registry Changes: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SMSERIALWORKERSTARTER "C:\WINDOWS\winstrse.exe" File Read: C:\WINDOWS\config.ini Process Started: Filename: cmd.exe MD5: eeb024f2c81f0d55936fb825d21a91d6 SHA-1: dd47ff16176412ec2e170cda441b4a220ff52f46 File Size: 388608 Bytes Command Line: cmd /c ""C:\1.bat" C:\sample.exe" Registry Reads: Key Name Value Times HKLM\Software\Microsoft\Command Processor AutoRun 1 HKLM\Software\Microsoft\Command Processor CompletionChar 64 1 HKLM\Software\Microsoft\Command Processor DefaultColor 0 1 HKLM\Software\Microsoft\Command Processor EnableExtensions 1 1 HKLM\Software\Microsoft\Command Processor PathCompletionChar 64 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers DefaultLevel 262144 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers PolicyScope 0 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} HashAlg 32771 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ItemData 0x5eab304f957a49896a006c1c31154015 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ItemSize 779 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} SaferFlags 0 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} HashAlg 32771 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ItemData 0x67b0d48b343a3fd3bce9dc646704f394 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ItemSize 517 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} SaferFlags 0 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} HashAlg 32771 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ItemData 0x327802dcfef8c893dc8ab006dd847d1d 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ItemSize 918 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} SaferFlags 0 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} HashAlg 32771 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ItemData 0xbd9a2adb42ebd8560e250e4df8162f67 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ItemSize 229 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} SaferFlags 0 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} HashAlg 32771 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ItemData 0x386b085f84ecf669d36b956a22c01e80 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ItemSize 370 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} SaferFlags 0 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ItemData %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} SaferFlags 0 1 HKLM\System\CurrentControlSet\Control\Nls\Language Groups 1 1 1 HKLM\System\CurrentControlSet\Control\Nls\Locale 00000409 1 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Command Processor CompletionChar 9 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Command Processor DefaultColor 0 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Command Processor EnableExtensions 1 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cache C:\Documents and Settings\user\Local Settings\Temporary Internet Files 1 Files Read: C:\1.bat Files Deleted: C:\1.bat C:\sample.exe