May 6, 2008 Poison Ivy EXE RSIS Commentary from RSISPubllcation@NTU.EDU.SG

Posted on March 6, 2010

Here is a blast from the past.  The message contains a zip file with a Poison Ivy executable - a fairly unsophisticated method of delivery, comparing to the methods we see these days. I found the fact that the message importance is set to low a bit unusual and amusing. Note the date of the attack - 2008.

Link updated: Jan 18, 2023 

http://contagio.deependresearch.org/APT/China/Poison+Ivy+EXE+105C80E404324938EAE633934EE44ED1+RSIS-exe.zip   (email me if you need a password - address is in the profile)
 

-----Original Message-----
From: RSISPubllcation [mailto:RSISPubllcation@NTU.EDU.SG]
Sent: Tuesday, May 06, 2008 9:10 PM
To: XXXXXXXXXXXXX
Subject: RSIS Commentary 54/2009 Ending the LTTE
Importance: Low

Dear All,
1. We are pleased to attach for your reading pleasure the following RSIS Commentary by Arabinda Acharya entitled Ending the LTTE: Recipe for counter-terrorism?
2. Synopsis:

Despite the very high cost in terms of lives lost and internal displacements, the military victory against the LTTE is a lesson in warfare for countries fighting insurgency and terrorism.


Regards,
RSISPublication,
for Yang Razali Kassim
Senior Fellow &
Editor RSIS Commentaries
 
http://www.virustotal.com/analisis/b71040cfa7545804d02afb8bb39639cf9c5dfd7439b29b6d3cf7a1ea8b9a5efc-1267933534
Virustotal results - 40/42 (not sure why eSafe and eTrust-Vet don't detect it :)
 a-squared    4.5.0.50    2010.03.06    Trojan.Win32.Agent!IK
AhnLab-V3    5.0.0.2    2010.03.06    Win-Trojan/Agent.45056.AJR
AntiVir    8.2.1.180    2010.03.05    TR/Agent.clsw
Antiy-AVL    2.0.3.7    2010.03.05    Trojan/Win32.Agent.gen
Authentium    5.2.0.5    2010.03.06    W32/Trojan2.HSKK
Avast    4.8.1351.0    2010.03.06    Win32:Trojan-gen
Avast5    5.0.332.0    2010.03.06    Win32:Trojan-gen
AVG    9.0.0.787    2010.03.06    Agent2.LBZ
BitDefender    7.2    2010.03.07    Trojan.Generic.2039983
CAT-QuickHeal    10.00    2010.03.06    Trojan.Agent.ckug
ClamAV    0.96.0.0-git    2010.03.06    Trojan.Agent-117052
Comodo    4091    2010.02.28    Heur.Suspicious
DrWeb    5.0.1.12222    2010.03.07    Trojan.Siggen.14707
F-Prot    4.5.1.85    2010.03.06    W32/Trojan2.HSKK
F-Secure    9.0.15370.0    2010.03.07    Trojan.Generic.2039983
Fortinet    4.0.14.0    2010.03.06    W32/Agent.CLSW!tr
GData    19    2010.03.07    Trojan.Generic.2039983
Ikarus    T3.1.1.80.0    2010.03.06    Trojan.Win32.Agent
Jiangmin    13.0.900    2010.03.06    Trojan/Agent.cmzc
K7AntiVirus    7.10.990    2010.03.04    Trojan.Win32.Agent.clsw
Kaspersky    7.0.0.125    2010.03.07    Trojan.Win32.Agent.clsw
McAfee    5912    2010.03.06    Generic BackDoor.m
McAfee+Artemis    5912    2010.03.06    Generic BackDoor.m
McAfee-GW-Edition    6.8.5    2010.03.07    Trojan.Agent.clsw
Microsoft    1.5502    2010.03.06    Backdoor:Win32/Poisonivy.E
NOD32    4921    2010.03.06    probably a variant of Win32/Agent
Norman    6.04.08    2010.03.06    W32/Agent.SKBD
nProtect    2009.1.8.0    2010.03.06    Trojan/W32.Agent.45056.MQ
Panda    10.0.2.2    2010.03.06    Trj/Downloader.MDW
PCTools    7.0.3.5    2010.03.04    Backdoor.Trojan
Prevx    3.0    2010.03.07    High Risk System Back Door
Rising    22.37.06.01    2010.03.07    Trojan.DL.Win32.Undef.eyn
Sophos    4.51.0    2010.03.06    Mal/Generic-A
Sunbelt    5776    2010.03.07    Trojan.Win32.Generic!BT
Symantec    20091.2.0.41    2010.03.07    Backdoor.Trojan
TheHacker    6.5.1.9.223    2010.03.07    Trojan/Agent.clsw
TrendMicro    9.120.0.1004    2010.03.07    BKDR_POISON.UG
VBA32    3.12.12.2    2010.03.05    Trojan.Win32.Agent.ckun
ViRobot    2010.3.5.2214    2010.03.05    Trojan.Win32.Agent.45056.GJ
VirusBuster    5.0.27.0    2010.03.06    Trojan.Agent.LZDM
Additional information
File size: 45056 bytes
MD5...: 105c80e404324938eae633934ee44ed1

Threatexpert Report
http://www.threatexpert.com/report.aspx?md5=105c80e404324938eae633934ee44ed1
    * The following Alternate Data Stream was created in the system:
#    ADS name(s)    ADS Size    ADS Hash    Alias
1     %Windir%\system32:msxmltwo.exe     45,056 bytes    

MD5: 0x105C80E404324938EAE633934EE44ED1
SHA-1: 0x8D599ED218C08603C1C86CA315959286FA553C56    
Backdoor.Trojan [PCTools]

    Registry Modifications
    * The following Registry Keys were created:
          o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E09850B8-3A60-D081-6B9B-960D43D3510C}
          o HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications
          o HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\PsThems
          o HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\PsThems\Settings

    * The newly created Registry Value is:
          o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E09850B8-3A60-D081-6B9B-960D43D3510C}]
                + StubPath = "%Windir%\system32:msxmltwo.exe"




Anubis Report
http://anubis.iseclab.org/?action=result&task_id=17dcf8eaeeed8708481ff44961985d488
          o   RSIS.exe
                +   C:\RSIS.exe
                +   Started by RSIS.exe
                +   Explorer.EXE
                      #   C:\WINDOWS\Explorer.EXE
                      #   RSIS.exe wrote to the virtual memory of this process
                      #   IEXPLORE.EXE
                            *   IEXPLORE.EXE
                            *   Started by Explorer.EXE
[#############################################################################] Anubis Analysis Report for RSIS.exe MD5: 105c80e404324938eae633934ee44ed1 [#############################################################################] Summary: - Creates files in the Windows system directory: Malware often keepscopies of itself in the Windows directory to stay undetected by users. - Performs File Modification and Destruction: The executable modifiesand destructs files which are not temporary. - Spawns Processes: The executable produces processes during the execution. - Performs Registry Activities: The executable reads and modifies registry values. It also creates and monitors registry keys. [=============================================================================] Table of Contents [=============================================================================] - General information - RSIS.exe a) Registry Activities b) File Activities c) Process Activities d) Other Activities - RSIS.exe a) Registry Activities b) File Activities c) Process Activities d) Other Activities - Explorer.EXE a) Registry Activities b) File Activities c) Process Activities d) Other Activities - IEXPLORE.EXE a) Registry Activities b) File Activities c) Network Activities [#############################################################################] 1. General Information [#############################################################################] [=============================================================================] Information about Anubis' invocation [=============================================================================] Time needed: 242 s Report created: 03/07/10, 04:06:00 UTC Termination reason: Timeout Program version: 1.74.2603 [=============================================================================] Global Network Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Unknown UDP Traffic: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] From ANUBIS:1025 to 192.168.0.1:53 State: [ Normal establishment and termination ], Outbound Bytes: [ 96 ], Inbound Bytes: [ 372 ] From ANUBIS:1025 to 192.168.0.1:53 State: [ Normal establishment and termination ], Outbound Bytes: [ 64 ], Inbound Bytes: [ 248 ] [#############################################################################] 2. RSIS.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Primary Analysis Subject Filename: RSIS.exe Command Line: "C:\RSIS.exe" Process-status at analysis end: dead Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\MFC42.DLL ], Base Address: [0x73DD0000 ], Size: [0x000FE000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\COMCTL32.DLL ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\MSCTF.dll ], Base Address: [0x74720000 ], Size: [0x0004C000 ] [=============================================================================] 2.a) RSIS.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Keys Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\software\Local AppWizard-Generated Applications ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\software\Local AppWizard-Generated Applications\PsThems ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\software\Local AppWizard-Generated Applications\PsThems\Recent File List ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\software\Local AppWizard-Generated Applications\PsThems\Settings ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ], Value Name: [ CUAS ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ PolicyScope ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemSize ], Value: [ 779 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemSize ], Value: [ 517 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemSize ], Value: [ 918 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemSize ], Value: [ 229 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemSize ], Value: [ 370 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time [=============================================================================] 2.b) RSIS.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ \Device\NamedPipe\Win32Pipes.00000628.00000001 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\RSIS.exe ] File Name: [ C:\WINDOWS\system32\COMCTL32.DLL ] File Name: [ C:\WINDOWS\system32\MFC42.DLL ] File Name: [ C:\WINDOWS\system32\MSCTF.dll ] File Name: [ C:\WINDOWS\system32\imm32.dll ] [=============================================================================] 2.c) RSIS.exe - Process Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Processes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Executable: [ C:\RSIS.exe ], Command Line: [ ] Executable: [ C:\RSIS.exe ], Command Line: [ StubPath ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Remote Threads Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Affected Process: [ C:\RSIS.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\RSIS.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Written: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\RSIS.exe ] [=============================================================================] 2.d) RSIS.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutexes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutex: [ CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Keyboard Keys Monitored: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Virtual Key Code: [ VK_CAPITAL (20) ], 1 time Virtual Key Code: [ VK_NUMLOCK (144) ], 1 time Virtual Key Code: [ VK_SCROLL (145) ], 1 time [#############################################################################] 3. RSIS.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Started by RSIS.exe Filename: RSIS.exe MD5: 105c80e404324938eae633934ee44ed1 SHA-1: 8d599ed218c08603c1c86ca315959286fa553c56 File Size: 45056 Bytes Command Line: StubPath Process-status at analysis end: dead Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\MFC42.DLL ], Base Address: [0x73DD0000 ], Size: [0x000FE000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\COMCTL32.DLL ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\MSCTF.dll ], Base Address: [0x74720000 ], Size: [0x0004C000 ] Module Name: [ C:\WINDOWS\system32\advpack.dll ], Base Address: [0x75260000 ], Size: [0x00029000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] [=============================================================================] Ikarus Virus Scanner [=============================================================================] Trojan.Win32.Agent (Sig-Id: 30072180) [=============================================================================] 3.a) RSIS.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ], Value Name: [ CUAS ], Value: [ 0 ], 1 time Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times [=============================================================================] 3.b) RSIS.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ \Device\NamedPipe\Win32Pipes.000006a0.00000001 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\COMCTL32.DLL ] File Name: [ C:\WINDOWS\system32\MFC42.DLL ] File Name: [ C:\WINDOWS\system32\MSCTF.dll ] File Name: [ C:\WINDOWS\system32\advpack.dll ] File Name: [ C:\WINDOWS\system32\imm32.dll ] [=============================================================================] 3.c) RSIS.exe - Process Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Remote Threads Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Affected Process: [ C:\WINDOWS\explorer.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Written: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\WINDOWS\explorer.exe ] [=============================================================================] 3.d) RSIS.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutexes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutex: [ &@%$?2341 ] Mutex: [ CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Keyboard Keys Monitored: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Virtual Key Code: [ VK_CAPITAL (20) ], 1 time Virtual Key Code: [ VK_NUMLOCK (144) ], 1 time Virtual Key Code: [ VK_SCROLL (145) ], 1 time [#############################################################################] 4. Explorer.EXE [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: RSIS.exe wrote to the virtual memory of this process Filename: Explorer.EXE MD5: 12896823fb95bfb3dc9b46bcaedc9923 SHA-1: 9d2bf84874abc5b6e9a2744b7865c193c08d362f File Size: 1033728 Bytes Command Line: C:\WINDOWS\Explorer.EXE Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\BROWSEUI.dll ], Base Address: [0x75F80000 ], Size: [0x000FD000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\SHDOCVW.dll ], Base Address: [0x7E290000 ], Size: [0x00171000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\CRYPTUI.dll ], Base Address: [0x754D0000 ], Size: [0x00080000 ] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] Module Name: [ C:\WINDOWS\system32\WINTRUST.dll ], Base Address: [0x76C30000 ], Size: [0x0002E000 ] Module Name: [ C:\WINDOWS\system32\IMAGEHLP.dll ], Base Address: [0x76C90000 ], Size: [0x00028000 ] Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ], Base Address: [0x76F60000 ], Size: [0x0002C000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\UxTheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ], Base Address: [0x6F880000 ], Size: [0x001CA000 ] Module Name: [ C:\WINDOWS\system32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\MSACM32.dll ], Base Address: [0x77BE0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\appHelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ], Base Address: [0x76FD0000 ], Size: [0x0007F000 ] Module Name: [ C:\WINDOWS\system32\COMRes.dll ], Base Address: [0x77050000 ], Size: [0x000C5000 ] Module Name: [ C:\WINDOWS\System32\cscui.dll ], Base Address: [0x77A20000 ], Size: [0x00054000 ] Module Name: [ C:\WINDOWS\System32\CSCDLL.dll ], Base Address: [0x76600000 ], Size: [0x0001D000 ] Module Name: [ C:\WINDOWS\system32\themeui.dll ], Base Address: [0x5BA60000 ], Size: [0x00071000 ] Module Name: [ C:\WINDOWS\system32\MSIMG32.dll ], Base Address: [0x76380000 ], Size: [0x00005000 ] Module Name: [ C:\WINDOWS\system32\xpsp2res.dll ], Base Address: [0x00BC0000 ], Size: [0x002C5000 ] Module Name: [ C:\WINDOWS\system32\actxprxy.dll ], Base Address: [0x71D40000 ], Size: [0x0001B000 ] Module Name: [ C:\WINDOWS\system32\msutb.dll ], Base Address: [0x5FC10000 ], Size: [0x00033000 ] Module Name: [ C:\WINDOWS\system32\MSCTF.dll ], Base Address: [0x74720000 ], Size: [0x0004C000 ] Module Name: [ C:\WINDOWS\system32\urlmon.dll ], Base Address: [0x7E1E0000 ], Size: [0x000A2000 ] Module Name: [ C:\WINDOWS\system32\LINKINFO.dll ], Base Address: [0x76980000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\ntshrui.dll ], Base Address: [0x76990000 ], Size: [0x00025000 ] Module Name: [ C:\WINDOWS\system32\ATL.DLL ], Base Address: [0x76B20000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\WINSTA.dll ], Base Address: [0x76360000 ], Size: [0x00010000 ] Module Name: [ C:\WINDOWS\system32\webcheck.dll ], Base Address: [0x74B30000 ], Size: [0x00046000 ] Module Name: [ C:\WINDOWS\system32\WSOCK32.dll ], Base Address: [0x71AD0000 ], Size: [0x00009000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\SETUPAPI.dll ], Base Address: [0x77920000 ], Size: [0x000F3000 ] Module Name: [ C:\WINDOWS\system32\stobject.dll ], Base Address: [0x76280000 ], Size: [0x00021000 ] Module Name: [ C:\WINDOWS\system32\BatMeter.dll ], Base Address: [0x74AF0000 ], Size: [0x0000A000 ] Module Name: [ C:\WINDOWS\system32\POWRPROF.dll ], Base Address: [0x74AD0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WTSAPI32.dll ], Base Address: [0x76F50000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\msi.dll ], Base Address: [0x7D1E0000 ], Size: [0x002BC000 ] Module Name: [ C:\WINDOWS\system32\NETSHELL.dll ], Base Address: [0x76400000 ], Size: [0x001A5000 ] Module Name: [ C:\WINDOWS\system32\credui.dll ], Base Address: [0x76C00000 ], Size: [0x0002E000 ] Module Name: [ C:\WINDOWS\system32\dot3api.dll ], Base Address: [0x478C0000 ], Size: [0x0000A000 ] Module Name: [ C:\WINDOWS\system32\rtutils.dll ], Base Address: [0x76E80000 ], Size: [0x0000E000 ] Module Name: [ C:\WINDOWS\system32\dot3dlg.dll ], Base Address: [0x736D0000 ], Size: [0x00006000 ] Module Name: [ C:\WINDOWS\system32\OneX.DLL ], Base Address: [0x5DCA0000 ], Size: [0x00028000 ] Module Name: [ C:\WINDOWS\system32\eappcfg.dll ], Base Address: [0x745B0000 ], Size: [0x00022000 ] Module Name: [ C:\WINDOWS\system32\MSVCP60.dll ], Base Address: [0x76080000 ], Size: [0x00065000 ] Module Name: [ C:\WINDOWS\system32\eappprxy.dll ], Base Address: [0x5DCD0000 ], Size: [0x0000E000 ] Module Name: [ C:\WINDOWS\system32\iphlpapi.dll ], Base Address: [0x76D60000 ], Size: [0x00019000 ] Module Name: [ C:\WINDOWS\system32\SAMLIB.dll ], Base Address: [0x71BF0000 ], Size: [0x00013000 ] Module Name: [ C:\WINDOWS\system32\MPR.dll ], Base Address: [0x71B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\System32\drprov.dll ], Base Address: [0x75F60000 ], Size: [0x00007000 ] Module Name: [ C:\WINDOWS\System32\ntlanman.dll ], Base Address: [0x71C10000 ], Size: [0x0000E000 ] Module Name: [ C:\WINDOWS\System32\NETUI0.dll ], Base Address: [0x71CD0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\System32\NETUI1.dll ], Base Address: [0x71C90000 ], Size: [0x00040000 ] Module Name: [ C:\WINDOWS\System32\NETRAP.dll ], Base Address: [0x71C80000 ], Size: [0x00007000 ] Module Name: [ C:\WINDOWS\System32\davclnt.dll ], Base Address: [0x75F70000 ], Size: [0x0000A000 ] Module Name: [ C:\WINDOWS\system32\browselc.dll ], Base Address: [0x71600000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\MLANG.dll ], Base Address: [0x75CF0000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\IMM32.dll ], Base Address: [0x76390000 ], Size: [0x0001D000 ] [=============================================================================] 4.a) Explorer.EXE - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Keys Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\Software\Microsoft\Active Setup\Installed Components\{E09850B8-3A60-D081-6B9B-960D43D3510C} ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\Software\Microsoft\Active Setup\Installed Components\{E09850B8-3A60-D081-6B9B-960D43D3510C} ], Value Name: [ StubPath ], New Value: [ C:\WINDOWS\system32:msxmltwo.exe ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.aif\OpenWithProgids ], Value Name: [ AIFFFile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.aifc\OpenWithProgids ], Value Name: [ AIFFFile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.aiff\OpenWithProgids ], Value Name: [ AIFFFile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.asf\OpenWithProgids ], Value Name: [ ASFFile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.asx\OpenWithProgids ], Value Name: [ ASXFile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.au\OpenWithProgids ], Value Name: [ AUFile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.avi\OpenWithProgids ], Value Name: [ avifile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.bmp\OpenWithProgids ], Value Name: [ Paint.Picture ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.css\OpenWithProgids ], Value Name: [ CSSfile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.dib\OpenWithProgids ], Value Name: [ Paint.Picture ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.doc\OpenWithProgids ], Value Name: [ WordPad.Document.1 ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.dvr-ms\OpenWithProgids ], Value Name: [ WMP.DVR-MSFile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.emf\OpenWithProgids ], Value Name: [ emffile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.gif\OpenWithProgids ], Value Name: [ giffile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.htm\OpenWithProgids ], Value Name: [ htmlfile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.html\OpenWithProgids ], Value Name: [ htmlfile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.ico\OpenWithProgids ], Value Name: [ icofile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.ivf\OpenWithProgids ], Value Name: [ IVFfile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.jfif\OpenWithProgids ], Value Name: [ pjpegfile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.jpe\OpenWithProgids ], Value Name: [ jpegfile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.jpeg\OpenWithProgids ], Value Name: [ jpegfile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.jpg\OpenWithProgids ], Value Name: [ jpegfile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.m1v\OpenWithProgids ], Value Name: [ mpegfile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.m3u\OpenWithProgids ], Value Name: [ m3ufile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.mid\OpenWithProgids ], Value Name: [ midfile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.midi\OpenWithProgids ], Value Name: [ midfile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.mp2\OpenWithProgids ], Value Name: [ mpegfile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.mp2v\OpenWithProgids ], Value Name: [ mpegfile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.mp3\OpenWithProgids ], Value Name: [ mp3file ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.mpa\OpenWithProgids ], Value Name: [ mpegfile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.mpe\OpenWithProgids ], Value Name: [ mpegfile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.mpeg\OpenWithProgids ], Value Name: [ mpegfile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.mpg\OpenWithProgids ], Value Name: [ mpegfile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.mpv2\OpenWithProgids ], Value Name: [ mpegfile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.png\OpenWithProgids ], Value Name: [ pngfile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.rmi\OpenWithProgids ], Value Name: [ midfile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.rtf\OpenWithProgids ], Value Name: [ rtffile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.snd\OpenWithProgids ], Value Name: [ AUFile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.tif\OpenWithProgids ], Value Name: [ TIFImage.Document ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.tiff\OpenWithProgids ], Value Name: [ TIFImage.Document ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.txt\OpenWithProgids ], Value Name: [ txtfile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.wav\OpenWithProgids ], Value Name: [ soundrec ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.wax\OpenWithProgids ], Value Name: [ WAXFile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.wdp\OpenWithProgids ], Value Name: [ wdpfile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.wm\OpenWithProgids ], Value Name: [ ASFFile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.wma\OpenWithProgids ], Value Name: [ WMAFile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.wmf\OpenWithProgids ], Value Name: [ wmffile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.wmv\OpenWithProgids ], Value Name: [ WMVFile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.wmx\OpenWithProgids ], Value Name: [ ASXFile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.wpl\OpenWithProgids ], Value Name: [ WPLFile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.wri\OpenWithProgids ], Value Name: [ wrifile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.wvx\OpenWithProgids ], Value Name: [ WVXFile ], New Value: [ ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.zip\OpenWithProgids ], Value Name: [ CompressedFolder ], New Value: [ ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\CLASSES\.386 ], Value Name: [ PerceivedType ], Value: [ system ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.AIF ], Value Name: [ ], Value: [ AIFFFile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.AIFC ], Value Name: [ ], Value: [ AIFFFile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.AIFF ], Value Name: [ ], Value: [ AIFFFile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.ASF ], Value Name: [ ], Value: [ ASFFile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.ASM ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.ASMX ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.ASPX ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.ASX ], Value Name: [ ], Value: [ ASXFile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.AU ], Value Name: [ ], Value: [ AUFile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.AVI ], Value Name: [ ], Value: [ avifile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.BMP ], Value Name: [ ], Value: [ Paint.Picture ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.C ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.CHK ], Value Name: [ PerceivedType ], Value: [ system ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.CPP ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.CSS ], Value Name: [ ], Value: [ CSSfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.CSS ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.CSV ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.CXX ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.DEF ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.DIB ], Value Name: [ ], Value: [ Paint.Picture ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.DIZ ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.DOC ], Value Name: [ ], Value: [ WordPad.Document.1 ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.DVR-MS ], Value Name: [ ], Value: [ WMP.DVR-MSFile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.EMF ], Value Name: [ ], Value: [ emffile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.GIF ], Value Name: [ ], Value: [ giffile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.GZ ], Value Name: [ PerceivedType ], Value: [ compressed ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.H ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.HPP ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.HTM ], Value Name: [ ], Value: [ htmlfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.HTM ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.HTML ], Value Name: [ ], Value: [ htmlfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.HTML ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.HXX ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.ICO ], Value Name: [ ], Value: [ icofile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.INC ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.IVF ], Value Name: [ ], Value: [ IVFfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.JAVA ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.JFIF ], Value Name: [ ], Value: [ pjpegfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.JPE ], Value Name: [ ], Value: [ jpegfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.JPEG ], Value Name: [ ], Value: [ jpegfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.JPG ], Value Name: [ ], Value: [ jpegfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.LOCAL ], Value Name: [ PerceivedType ], Value: [ system ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.M1V ], Value Name: [ ], Value: [ mpegfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.M3U ], Value Name: [ ], Value: [ m3ufile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.MANIFEST ], Value Name: [ PerceivedType ], Value: [ system ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.MID ], Value Name: [ ], Value: [ midfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.MIDI ], Value Name: [ ], Value: [ midfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.MP2 ], Value Name: [ ], Value: [ mpegfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.MP2V ], Value Name: [ ], Value: [ mpegfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.MP3 ], Value Name: [ ], Value: [ mp3file ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.MPA ], Value Name: [ ], Value: [ mpegfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.MPE ], Value Name: [ ], Value: [ mpegfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.MPEG ], Value Name: [ ], Value: [ mpegfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.MPG ], Value Name: [ ], Value: [ mpegfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.MPV2 ], Value Name: [ ], Value: [ mpegfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.NVR ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.OCX ], Value Name: [ PerceivedType ], Value: [ system ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.PHP3 ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.PL ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.PLG ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.PNG ], Value Name: [ ], Value: [ pngfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.RMI ], Value Name: [ ], Value: [ midfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.RTF ], Value Name: [ ], Value: [ rtffile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.SED ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.SHTML ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.SND ], Value Name: [ ], Value: [ AUFile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.SQL ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.TAR ], Value Name: [ PerceivedType ], Value: [ compressed ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.TEXT ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.TGZ ], Value Name: [ PerceivedType ], Value: [ compressed ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.TIF ], Value Name: [ ], Value: [ TIFImage.Document ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.TIFF ], Value Name: [ ], Value: [ TIFImage.Document ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.TSV ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.TXT ], Value Name: [ ], Value: [ txtfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.TXT ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.VXD ], Value Name: [ PerceivedType ], Value: [ system ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.WAV ], Value Name: [ ], Value: [ soundrec ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.WAX ], Value Name: [ ], Value: [ WAXFile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.WDP ], Value Name: [ ], Value: [ wdpfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.WM ], Value Name: [ ], Value: [ ASFFile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.WMA ], Value Name: [ ], Value: [ WMAFile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.WMF ], Value Name: [ ], Value: [ wmffile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.WMV ], Value Name: [ ], Value: [ WMVFile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.WMX ], Value Name: [ ], Value: [ ASXFile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.WMZ ], Value Name: [ PerceivedType ], Value: [ compressed ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.WPL ], Value Name: [ ], Value: [ WPLFile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.WRI ], Value Name: [ ], Value: [ wrifile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.WSZ ], Value Name: [ PerceivedType ], Value: [ compressed ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.WVX ], Value Name: [ ], Value: [ WVXFile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.X ], Value Name: [ PerceivedType ], Value: [ text ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.Z ], Value Name: [ PerceivedType ], Value: [ compressed ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.ZIP ], Value Name: [ ], Value: [ CompressedFolder ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{603D3801-BD81-11D0-A3A5-00C04FD706EC}\INPROCSERVER32 ], Value Name: [ ], Value: [ %SystemRoot%\system32\browseui.dll ], 1 time Key: [ HKLM\SOFTWARE\Classes\http\shell\open\command ], Value Name: [ ], Value: [ "C:\Program Files\Internet Explorer\iexplore.exe" -nohome ], 2 times Key: [ HKLM\SYSTEM\WPA\MediaCenter ], Value Name: [ Installed ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} ], Value Name: [ StubPath ], Value: [ C:\WINDOWS\inf\unregmp2.exe /ShowWMP ], 2 times Key: [ HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c} ], Value Name: [ StubPath ], Value: [ %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE ], 2 times Key: [ HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} ], Value Name: [ StubPath ], Value: [ %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE ], 2 times Key: [ HKLM\Software\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} ], Value Name: [ StubPath ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95} ], Value Name: [ StubPath ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} ], Value Name: [ StubPath ], Value: [ %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll ], 2 times Key: [ HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C} ], Value Name: [ StubPath ], Value: [ "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install ], 2 times Key: [ HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B} ], Value Name: [ StubPath ], Value: [ rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT ], 2 times Key: [ HKLM\Software\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278} ], Value Name: [ StubPath ], Value: [ %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf ], 2 times Key: [ HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be} ], Value Name: [ StubPath ], Value: [ rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser ], 2 times Key: [ HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} ], Value Name: [ StubPath ], Value: [ rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub ], 2 times Key: [ HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02} ], Value Name: [ StubPath ], Value: [ "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install ], 2 times Key: [ HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} ], Value Name: [ StubPath ], Value: [ regsvr32.exe /s /n /i:U shell32.dll ], 2 times Key: [ HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} ], Value Name: [ StubPath ], Value: [ %SystemRoot%\system32\ie4uinit.exe ], 2 times Key: [ HKLM\Software\Microsoft\COM3 ], Value Name: [ REGDBVersion ], Value: [ 0x0700000000000000 ], 2 times [=============================================================================] 4.b) Explorer.EXE - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32:msxmltwo ] File Name: [ C:\WINDOWS\system32:msxmltwo.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\RSIS.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32:msxmltwo ] File Name: [ C:\WINDOWS\system32:msxmltwo.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ unnamed file ], Control Code: [ 0x00228144 ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ] File Name: [ C:\Program Files\Internet Explorer\iexplore.exe ] File Name: [ C:\Windows\AppPatch\sysmain.sdb ] [=============================================================================] 4.c) Explorer.EXE - Process Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Processes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Executable: [ C:\Program Files\Internet Explorer\iexplore.exe ], Command Line: [ ] Executable: [ ], Command Line: [ "C:\Program Files\Internet Explorer\iexplore.exe" -nohome ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Remote Threads Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Affected Process: [ C:\Program Files\Internet Explorer\iexplore.exe ] Affected Process: [ C:\Program Files\Internet Explorer\iexplore.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\Program Files\Internet Explorer\iexplore.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Written: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\Program Files\Internet Explorer\iexplore.exe ] [=============================================================================] 4.d) Explorer.EXE - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutexes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutex: [ &@%$?2341 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Keyboard Keys Monitored: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Virtual Key Code: [ VK_LBUTTON (1) ], 260 times [#############################################################################] 5. IEXPLORE.EXE [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Started by Explorer.EXE Filename: IEXPLORE.EXE Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\Program Files\Internet Explorer\iexplore.exe ], Base Address: [0x00400000 ], Size: [0x00019000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\SHDOCVW.dll ], Base Address: [0x7E290000 ], Size: [0x00171000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\CRYPTUI.dll ], Base Address: [0x754D0000 ], Size: [0x00080000 ] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] Module Name: [ C:\WINDOWS\system32\WINTRUST.dll ], Base Address: [0x76C30000 ], Size: [0x0002E000 ] Module Name: [ C:\WINDOWS\system32\IMAGEHLP.dll ], Base Address: [0x76C90000 ], Size: [0x00028000 ] Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ], Base Address: [0x76F60000 ], Size: [0x0002C000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\RichEd20.dll ], Base Address: [0x74E30000 ], Size: [0x0006D000 ] Module Name: [ C:\WINDOWS\system32\ws2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\mswsock.dll ], Base Address: [0x71A50000 ], Size: [0x0003F000 ] Module Name: [ C:\WINDOWS\system32\hnetcfg.dll ], Base Address: [0x662B0000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\System32\wshtcpip.dll ], Base Address: [0x71A90000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\DNSAPI.dll ], Base Address: [0x76F20000 ], Size: [0x00027000 ] Module Name: [ C:\WINDOWS\System32\winrnr.dll ], Base Address: [0x76FB0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\rasadhlp.dll ], Base Address: [0x76FC0000 ], Size: [0x00006000 ] [=============================================================================] 5.a) IEXPLORE.EXE - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\CLASSES\INTERFACE\{000214E6-0000-0000-C000-000000000046}\PROXYSTUBCLSID32 ], Value Name: [ ], Value: [ {bf50b68e-29b8-4386-ae9c-9734d5117cd5} ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\INTERFACE\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\PROXYSTUBCLSID32 ], Value Name: [ ], Value: [ {B8DA6310-E19B-11D0-933C-00A0C90DCAA9} ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\INTERFACE\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\PROXYSTUBCLSID32 ], Value Name: [ ], Value: [ {bf50b68e-29b8-4386-ae9c-9734d5117cd5} ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\INTERFACE\{B722BCCB-4E68-101B-A2BC-00AA00404770}\PROXYSTUBCLSID32 ], Value Name: [ ], Value: [ {B8DA6310-E19B-11D0-933C-00A0C90DCAA9} ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\INTERFACE\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TYPELIB ], Value Name: [ ], Value: [ {EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B} ], 1 time Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time Key: [ HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters ], Value Name: [ Transports ], Value: [ 0x5400630070006900700000004e0065007400420049004f00530000000000 ], 2 times Key: [ HKLM\SYSTEM\WPA\MediaCenter ], Value Name: [ Installed ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\LDAP ], Value Name: [ LdapClientIntegrity ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Domain ], Value: [ ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Hostname ], Value: [ pc ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ UseDomainNameDevolution ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock ], Value Name: [ HelperDllName ], Value: [ %SystemRoot%\System32\wshtcpip.dll ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock ], Value Name: [ Mapping ], Value: [ 0x0b0000000300000002000000010000000600000002000000010000000000 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock ], Value Name: [ MaxSockaddrLength ], Value: [ 16 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock ], Value Name: [ MinSockaddrLength ], Value: [ 16 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock ], Value Name: [ UseDelayedAcceptance ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters ], Value Name: [ WinSock_Registry_Version ], Value: [ 2.0 ], 4 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], Value Name: [ Num_Catalog_Entries ], Value: [ 3 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], Value Name: [ Serial_Access_Num ], Value: [ 4 ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ DisplayString ], Value: [ Tcpip ], 4 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ Enabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ ProviderId ], Value: [ 0x409d05229e7ecf11ae5a00aa00a7112b ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ SupportedNameSpace ], Value: [ 12 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ Version ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ DisplayString ], Value: [ NTDS ], 4 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ Enabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\winrnr.dll ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ ProviderId ], Value: [ 0xee37263b80e5cf11a55500c04fd8d4ac ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ SupportedNameSpace ], Value: [ 32 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ Version ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ DisplayString ], Value: [ Network Location Awareness (NLA) Namespace ], 4 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ Enabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ ProviderId ], Value: [ 0x3a244266a83ba64abaa52e0bd71fdd83 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ SupportedNameSpace ], Value: [ 15 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ Version ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], Value Name: [ Next_Catalog_Entry_ID ], Value: [ 1012 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], Value Name: [ Num_Catalog_Entries ], Value: [ 11 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], Value Name: [ Serial_Access_Num ], Value: [ 4 ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Monitored Registry Keys: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time [=============================================================================] 5.b) IEXPLORE.EXE - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ \Device\Afd\Endpoint ] File Name: [ \Device\RasAcd ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ C:\Documents and Settings\Administrator\ ], Control Code: [ 0x00090028 ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_GET_INFO (0x0001207B) ], 2 times File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_SET_CONTEXT (0x00012047) ], 6 times File: [ \Device\RasAcd ], Control Code: [ 0x00F14014 ], 3 times File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_BIND (0x00012003) ], 3 times File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_GET_TDI_HANDLES (0x00012037) ], 9 times File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_CONNECT (0x00012007) ], 3 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\System32\winrnr.dll ] File Name: [ C:\WINDOWS\System32\wshtcpip.dll ] File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ] File Name: [ C:\WINDOWS\WindowsShell.Manifest ] File Name: [ C:\WINDOWS\system32\DNSAPI.dll ] File Name: [ C:\WINDOWS\system32\RichEd20.dll ] File Name: [ C:\WINDOWS\system32\SHDOCVW.dll ] File Name: [ C:\WINDOWS\system32\ShimEng.dll ] File Name: [ C:\WINDOWS\system32\WININET.dll ] File Name: [ C:\WINDOWS\system32\WS2HELP.dll ] File Name: [ C:\WINDOWS\system32\hnetcfg.dll ] File Name: [ C:\WINDOWS\system32\mswsock.dll ] File Name: [ C:\WINDOWS\system32\rasadhlp.dll ] File Name: [ C:\WINDOWS\system32\ws2_32.dll ] File Name: [ C:\Windows\AppPatch\sysmain.sdb ] [=============================================================================] 5.c) IEXPLORE.EXE - Network Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] DNS Queries: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Name: [ js001.3322.org ], Query Type: [ DNS_TYPE_A ], Query Result: [ 222.35.137.193 ], Successful: [ 1 ], Protocol: [ ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] TCP Connection Attempts: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] From ANUBIS:1038 to 222.35.137.193:220 From ANUBIS:1039 to 222.35.137.193:220 From ANUBIS:1041 to 222.35.137.193:220

 DNS Queries:
        Name: [ js001.3322.org ]          
TCP Connection Attempts
        to 222.35.137.193:220

Hostname: 222.35.137.193
ISP: CHINA RAILWAY TELECOMMUNICATIONS CENTER
Organization: CHINA RAILWAY TELECOMMUNICATIONS CENTER
Country: China 
State/Region: Beijing

Information from Robtex.com