Analysis Summary:

Analysis Date13.12.2006 01:27:41
Sandbox Version1.86
Filenamea07a0a134f3c108d154ce8675be7c7e3.exe

Technical Details:

Analysis Number1
Parent ID0
Process ID1116
Filenamec:\a07a0a134f3c108d154ce8675be7c7e3.exe
Filesize356352 bytes
MD5a07a0a134f3c108d154ce8675be7c7e3
Start ReasonAnalysisTarget
Termination ReasonNormalTermination
Start Time00:00.110
Stop Time01:31.266
DetectionOK (ClamAV)
OK (BDC/Linux-Console)
TR/Proxy.Delf.BS.76 (AntiVir Workstation)
DLL-Handling
Loaded DLLs
c:\a07a0a134f3c108d154ce8675be7c7e3.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\LZ32.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\Wship6.dll
C:\WINDOWS\system32\pstorec.dll
C:\WINDOWS\system32\ATL.DLL
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\System32\winrnr.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\system32\Secur32.dll
c:\sxeF.tmp
Filesystem
New Files
c:\sxe10.tmp
c:\sxe11.tmp
Opened Files
\SystemRoot\AppPatch\sysmain.sdb
\SystemRoot\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
c:\sxe11.tmp
Deleted Files
c:\sxe10.tmp
c:\sxeF.tmp
c:\sxe11.tmp
Chronological order
Create File: c:\sxe10.tmp
Delete File: c:\sxe10.tmp
Create File: c:\sxe11.tmp
Delete File: c:\sxeF.tmp
Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: c:\sxe11.tmp ()
Find File: sxe11.tmp
Delete File: c:\sxe11.tmp
Registry
Reads
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed"
Process Management Creates Process - Filename () CommandLine: ("c:\sxe11.tmp" ) As User: () Creation Flags: ()
Kill Process - Filename () CommandLine: () Target PID: (1116) As User: () Creation Flags: ()

The following process was started by process: 1
Analysis Number2
Parent ID1
Process ID1132
Filenamec:\sxe11.tmp
Filesize683520 bytes
MD5ed126427c48e17d3cc57991c54583480
Start ReasonCreateProcess
Termination ReasonNormalTermination
Start Time00:11.328
Stop Time01:30.953
DetectionOK (ClamAV)
OK (BDC/Linux-Console)
OK (AntiVir Workstation)
COM COM Create Instance: C:\Programme\Messenger\msgsc.dll, ProgID: (Messenger.UIAutomation.1), Interface ID: ({00000000-0000-0000-C000-000000000046})
COM Create Instance: C:\Programme\Messenger\msgsc.dll, ProgID: (MessengerNative.UIAutomation.1), Interface ID: ({00000000-0000-0000-C000-000000000046})
COM Create Instance: C:\Programme\Messenger\msgsc.dll, ProgID: (MessengerNative.UIAutomation.1), Interface ID: ({D50C3386-0F89-48F8-B204-3604629DEE10})
COM Create Instance: C:\Programme\Messenger\msgsc.dll, ProgID: (MessengerPrivateNative.MessengerPriv.1), Interface ID: ({00000000-0000-0000-C000-000000000046})
COM Create Instance: C:\Programme\Messenger\msgsc.dll, ProgID: (MessengerPrivateNative.MessengerPriv.1), Interface ID: ({D50C3386-0F89-48F8-B204-3604629DEE10})
COM Create Instance: C:\Programme\Messenger\msmsgs.exe, ProgID: (MessengerNative.MsgrSessionManager.1), Interface ID: ({00000000-0000-0000-C000-000000000046})
COM Get Class Object: oleaut32.dll, Interface ID: ({D5F569D0-593B-101A-B569-08002B2DBF7A})
DLL-Handling
Loaded DLLs
c:\sxe11.tmp
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\version.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\wininet.dll
C:\WINDOWS\system32\CRYPT32.dll
C:\WINDOWS\system32\MSASN1.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\Wship6.dll
C:\WINDOWS\system32\pstorec.dll
C:\WINDOWS\system32\ATL.DLL
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\System32\winrnr.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\system32\Secur32.dll
c:\sxe11.DEU
c:\sxe11.DE
uxtheme.dll
comctl32.dll
shlwapi.dll
C:\Programme\Gemeinsame Dateien\System\wab32res.dll
C:\Programme\Gemeinsame Dateien\System\wab32.dll
WS2_32.DLL
RASAPI32.DLL
RTUTILS.DLL
RASMAN.DLL
secur32.dll
C:\WINDOWS\system32\msv1_0.dll
SHELL32.dll
USERENV.dll
netapi32.dll
WININET.dll
VERSION.dll
SXS.DLL
OLE32
RPCRT4.dll
user32.dll
OLEAUT32
Filesystem
New Files
\Device\Tcp
\Device\Ip
\Device\Ip
\Device\RasAcd
C:\WINDOWS\svchost.exe
Opened Files
\\.\PIPE\ROUTER
\\.\Ip
\\.\PIPE\lsarpc
c:\autoexec.bat
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Connections\Pbk\rasphone.pbk
\SystemRoot\AppPatch\sysmain.sdb
\SystemRoot\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\svchost.exe
C:\WINDOWS\Registration\R000000000007.clb
C:\Programme\Messenger\msmsgs.exe\3
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\system32\stdole2.tlb
C:\Programme\Messenger\msmsgs.exe\2
Chronological order
Open File: \\.\PIPE\ROUTER (OPEN_EXISTING)
Create/Open File: \Device\Tcp (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Open File: \\.\Ip (OPEN_EXISTING)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Get File Attributes: c:\autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:\autoexec.bat (OPEN_EXISTING)
Find File: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Connections\Pbk\*.pbk
Find File: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Connections\Pbk\rasphone.pbk
Open File: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Connections\Pbk\rasphone.pbk (OPEN_EXISTING)
Find File: C:\WINDOWS\system32\Ras\*.pbk
Find File: C:\Dokumente und Einstellungen\nepenthes\Anwendungsdaten\Microsoft\Network\Connections\Pbk\*.pbk
Create/Open File: \Device\RasAcd (OPEN_ALWAYS)
Create File: C:\WINDOWS\svchost.exe
Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\WINDOWS\svchost.exe ()
Find File: svchost.exe
Find File: C:\Dokumente und Einstellungen\*.*
Find File: C:\Dokumente und Einstellungen\nepenthes\Dados de aplicativos\Microsoft\Address Book\nepenthes.wab
Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\Registration\R000000000007.clb (OPEN_EXISTING)
Open File: C:\Programme\Messenger\msmsgs.exe\3 (OPEN_EXISTING)
Open File: C:\Programme\Messenger\msmsgs.exe (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\stdole2.tlb (OPEN_EXISTING)
Open File: C:\Programme\Messenger\msmsgs.exe\2 (OPEN_EXISTING)
Mutexes Creates Mutex: CTF.LBES.MutexDefaultS-1-5-21-1645522239-706699826-839522115-1003
Creates Mutex: CTF.Compart.MutexDefaultS-1-5-21-1645522239-706699826-839522115-1003
Creates Mutex: CTF.Asm.MutexDefaultS-1-5-21-1645522239-706699826-839522115-1003
Creates Mutex: CTF.Layouts.MutexDefaultS-1-5-21-1645522239-706699826-839522115-1003
Creates Mutex: CTF.TMD.MutexDefaultS-1-5-21-1645522239-706699826-839522115-1003
Creates Mutex: CTF.TimListCache.FMPDefaultS-1-5-21-1645522239-706699826-839522115-1003MUTEX.DefaultS-1-5-21-16455222
Creates Mutex: RasPbFile
Creates Mutex: ZonesCounterMutex
Creates Mutex: ZonesCacheCounterMutex
Creates Mutex: ZonesLockedCacheCounterMutex
Registry
Reads
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared\ "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\ "EnableAnchorContext"
HKEY_LOCAL_MACHINE\Software\Microsoft\WAB\DLLPath ""
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "10"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders "SecurityProviders"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Name"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Comment"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Capabilities"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "RpcId"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Version"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Type"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "TokenSize"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Name"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Comment"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Capabilities"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "RpcId"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Version"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Type"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "TokenSize"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Name"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Comment"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Capabilities"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "RpcId"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Version"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Type"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "TokenSize"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings "DisableImprovedZoneCheck"
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "DefaultAuthLevel"
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed"
HKEY_CLASSES_ROOT\TypeLib\{E02AD29E-80F5-46C6-B416-9B3EBDDF057E}\1.0\0 "win32"
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer "Debug"
HKEY_CLASSES_ROOT "Interface\{D50C3386-0F89-48F8-B204-3604629DEE10}\ProxyStubClsid32"
HKEY_CLASSES_ROOT "Interface\{D50C3386-0F89-48F8-B204-3604629DEE10}\Forward"
HKEY_CLASSES_ROOT\Interface\{D50C3386-0F89-48F8-B204-3604629DEE10}\TypeLib ""
HKEY_CLASSES_ROOT\Interface\{D50C3386-0F89-48F8-B204-3604629DEE10}\TypeLib "Version"
HKEY_CLASSES_ROOT\TypeLib\{E02AD29E-80F5-46c6-B416-9B3EBDDF057E}\1.0\0\win32 ""
HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 "win32"
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc "UDTAlignmentPolicy"
HKEY_CLASSES_ROOT "Interface\{7C95459B-C8E7-4605-B641-45EB06866659}\ProxyStubClsid32"
HKEY_CLASSES_ROOT "Interface\{7C95459B-C8E7-4605-B641-45EB06866659}\Forward"
HKEY_CLASSES_ROOT\Interface\{7C95459B-C8E7-4605-B641-45EB06866659}\TypeLib ""
HKEY_CLASSES_ROOT\Interface\{7C95459B-C8E7-4605-B641-45EB06866659}\TypeLib "Version"
HKEY_CLASSES_ROOT\TypeLib\{53CED51D-432B-45b2-A3E0-0CE2C24235D4}\1.0\0\win32 ""
HKEY_CLASSES_ROOT "Interface\{36602AFA-4859-4DF5-820B-BF35ACAA16CA}\ProxyStubClsid32"
HKEY_CLASSES_ROOT "Interface\{36602AFA-4859-4DF5-820B-BF35ACAA16CA}\Forward"
HKEY_CLASSES_ROOT\Interface\{36602AFA-4859-4DF5-820B-BF35ACAA16CA}\TypeLib ""
HKEY_CLASSES_ROOT\Interface\{36602AFA-4859-4DF5-820B-BF35ACAA16CA}\TypeLib "Version"
HKEY_CLASSES_ROOT "Interface\{D50C3386-0F89-48F8-B204-3604629DEE10}\Forward"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MessengerService "RTCState"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MessengerService "ExchangeState"
Enums
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\
HKEY_CLASSES_ROOT\TypeLib\{E02AD29E-80F5-46c6-B416-9B3EBDDF057E}
HKEY_CLASSES_ROOT\TypeLib\{E02AD29E-80F5-46c6-B416-9B3EBDDF057E}\1.0
HKEY_CLASSES_ROOT\TypeLib\{53CED51D-432B-45b2-A3E0-0CE2C24235D4}
HKEY_CLASSES_ROOT\TypeLib\{53CED51D-432B-45b2-A3E0-0CE2C24235D4}\1.0
Process Management Creates Process - Filename () CommandLine: (C:\Arquivos de Programas\Internet Explorer\Iexplore.exe http://www.humortadela.com.br) As User: () Creation Flags: ()
Creates Process - Filename () CommandLine: (C:\WINDOWS\svchost.exe) As User: () Creation Flags: ()
Kill Process - Filename () CommandLine: () Target PID: (1132) As User: () Creation Flags: ()
Service Management Open Service Manager - Name: "SCM"
Open Service - Name: "RASMAN"
System Info Get System Directory
Get Computer Name
User Management Impersonate User - Domain: () User: (nepenthes)
Get User Name
Window Find Window - Class Name (Shell_TrayWnd) Window Name ()
Enum Windows
Destroy Window - Class Name (TForm1) Window Name (lo )
Destroy Window - Class Name (tooltips_class32) Window Name ()
Destroy Window - Class Name (TPUtilWindow) Window Name ()
Destroy Window - Class Name (TApplication) Window Name (sxe11)
Network Activity
UDP Connections
Download URLs
http://210.58.101.241/modules/xfsection/html/msmm.exe
Outgoing connection to remote server: 210.58.101.241 TCP port 80

Analysis Number3
Parent ID0
Process ID664
Filenameservices.exe
Filesize-1 bytes
MD5
Start ReasonSCM
Termination ReasonTimeout
Start Time00:14.235
Stop Time02:00.469

The following process was started by process: 2
Analysis Number4
Parent ID2
Process ID1640
FilenameC:\WINDOWS\svchost.exe
Filesize914944 bytes
MD576841d4594f0b5ef11f6f06f6b01ebcf
Start ReasonCreateProcess
Termination ReasonTimeout
Start Time00:48.610
Stop Time02:00.250
DetectionOK (ClamAV)
Generic.Banker.Delf.B2693D44 (BDC/Linux-Console)
TR/Spy.Banker.GN.914944 (AntiVir Workstation)
DLL-Handling
Loaded DLLs
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\LZ32.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\Wship6.dll
C:\WINDOWS\system32\pstorec.dll
C:\WINDOWS\system32\ATL.DLL
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\System32\winrnr.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\sxe12.tmp
Filesystem
New Files
C:\WINDOWS\sxe13.tmp
C:\WINDOWS\sxe14.tmp
Opened Files
\SystemRoot\AppPatch\sysmain.sdb
\SystemRoot\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\sxe14.tmp
Deleted Files
C:\WINDOWS\sxe13.tmp
C:\WINDOWS\sxe12.tmp
Chronological order
Create File: C:\WINDOWS\sxe13.tmp
Delete File: C:\WINDOWS\sxe13.tmp
Create File: C:\WINDOWS\sxe14.tmp
Delete File: C:\WINDOWS\sxe12.tmp
Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\WINDOWS\sxe14.tmp ()
Find File: sxe14.tmp
Registry
Reads
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed"
Process Management Creates Process - Filename () CommandLine: ("C:\WINDOWS\sxe14.tmp" ) As User: () Creation Flags: ()

The following process was started by process: 4
Analysis Number5
Parent ID4
Process ID1380
FilenameC:\WINDOWS\sxe14.tmp
Filesize3816448 bytes
MD53f352d591dedb24ce03fb3d0d63cb2c6
Start ReasonCreateProcess
Termination ReasonTimeout
Start Time00:51.000
Stop Time02:00.610
Detection
DLL-Handling
Loaded DLLs
C:\WINDOWS\sxe14.tmp
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\version.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\wininet.dll
C:\WINDOWS\system32\CRYPT32.dll
C:\WINDOWS\system32\MSASN1.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\Wship6.dll
C:\WINDOWS\system32\pstorec.dll
C:\WINDOWS\system32\ATL.DLL
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\System32\winrnr.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\sxe14.DEU
C:\WINDOWS\sxe14.DE
uxtheme.dll
WS2_32.DLL
comctl32.dll
RASAPI32.DLL
RTUTILS.DLL
RASMAN.DLL
secur32.dll
C:\WINDOWS\system32\msv1_0.dll
SHELL32.dll
USERENV.dll
netapi32.dll
shlwapi.dll
Filesystem
New Files
\Device\Tcp
\Device\Ip
\Device\Ip
\Device\RasAcd
Opened Files
\\.\PIPE\ROUTER
\\.\Ip
\\.\PIPE\lsarpc
c:\autoexec.bat
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Connections\Pbk\rasphone.pbk
Chronological order
Open File: \\.\PIPE\ROUTER (OPEN_EXISTING)
Create/Open File: \Device\Tcp (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Open File: \\.\Ip (OPEN_EXISTING)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Get File Attributes: c:\autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:\autoexec.bat (OPEN_EXISTING)
Find File: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Connections\Pbk\*.pbk
Find File: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Connections\Pbk\rasphone.pbk
Open File: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Connections\Pbk\rasphone.pbk (OPEN_EXISTING)
Find File: C:\WINDOWS\system32\Ras\*.pbk
Find File: C:\Dokumente und Einstellungen\nepenthes\Anwendungsdaten\Microsoft\Network\Connections\Pbk\*.pbk
Create/Open File: \Device\RasAcd (OPEN_ALWAYS)
Mutexes Creates Mutex: CTF.LBES.MutexDefaultS-1-5-21-1645522239-706699826-839522115-1003
Creates Mutex: CTF.Compart.MutexDefaultS-1-5-21-1645522239-706699826-839522115-1003
Creates Mutex: CTF.Asm.MutexDefaultS-1-5-21-1645522239-706699826-839522115-1003
Creates Mutex: CTF.Layouts.MutexDefaultS-1-5-21-1645522239-706699826-839522115-1003
Creates Mutex: CTF.TMD.MutexDefaultS-1-5-21-1645522239-706699826-839522115-1003
Creates Mutex: CTF.TimListCache.FMPDefaultS-1-5-21-1645522239-706699826-839522115-1003MUTEX.DefaultS-1-5-21-16455222
Creates Mutex: RasPbFile
Creates Mutex: MSCTF.Shared.MUTEX.EOF
Registry
Reads
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared\ "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\ "EnableAnchorContext"
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "10"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders "SecurityProviders"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Name"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Comment"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Capabilities"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "RpcId"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Version"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Type"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "TokenSize"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Name"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Comment"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Capabilities"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "RpcId"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Version"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Type"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "TokenSize"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Name"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Comment"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Capabilities"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "RpcId"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Version"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Type"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "TokenSize"
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "DefaultAuthLevel"
Process Management Creates Process - Filename () CommandLine: (iexplore WWW_GetWindowInfo) As User: () Creation Flags: ()
Service Management Open Service Manager - Name: "SCM"
Open Service - Name: "RASMAN"
System Info Get System Directory
Get Computer Name
User Management Impersonate User - Domain: () User: (nepenthes)
Window Find Window - Class Name (Shell_TrayWnd) Window Name ()
Find Window - Class Name (Shell DocObject View) Window Name ()
Find Window - Class Name () Window Name (Evite que outras pessoas vejam você digitar sua senha - Microsoft Internet Explorer)
Find Window - Class Name () Window Name (Evite que outras pessoas te vejam digitar a sua -senha- - Microsoft Internet Explorer)
Find Window - Class Name () Window Name (A senha de oito dígitos é usada somente para o login - Microsoft Internet Explorer)
Find Window - Class Name () Window Name (Não abra e-mail de origem desconhecida - Microsoft Internet Explorer)
Find Window - Class Name () Window Name (Verifique um pequeno cadeado fechado na parte inferior do navegador - Microsoft Internet Explorer)
Find Window - Class Name () Window Name (Verifique um pequeno cadeado na parte inferior de seu navegador - Microsoft Internet Explorer)
Find Window - Class Name () Window Name (Evite que outras pessoas vejam você digitar a sua -senha- - Microsoft Internet Explorer)
Find Window - Class Name () Window Name (Mantenha atualizado o sistema operacional, o navegador e o anti-vírus/trojan - Microsoft Internet Explorer)
Find Window - Class Name () Window Name (Troque sua senha caso ela possa ser descoberta facilmente - Microsoft Internet Explorer)
Find Window - Class Name () Window Name (Sempre consulte esta página para novas informações sobre a segurança - Microsoft Internet Explorer)
Find Window - Class Name () Window Name (Sempre consulte esta página para novas informações sobre segurança - Microsoft Internet Explorer)
Find Window - Class Name () Window Name (Evite realizar operações em equipamentos de uso público - Microsoft Internet Explorer)
Find Window - Class Name () Window Name (Não permita que outras pessoas conheçam os seus dados de acesso - Microsoft Internet Explorer)
Find Window - Class Name () Window Name (Escolha "senhas" diferentes do seu nascimento, CPF e n° seqüenciais - Microsoft Internet Explorer)
Find Window - Class Name () Window Name (Note se no incio do campo "endereço" surgem as letras "https" - Microsoft Internet Explorer)
Find Window - Class Name () Window Name (Não use atalhos em e-mail para acessar o site. Digite o endereço direto no navegador - Microsoft Internet Explorer)
Find Window - Class Name () Window Name (Não abra arquivos de origem desconhecida - Microsoft Internet Explorer)
Find Window - Class Name () Window Name (Evite abrir arquivos executáveis anexados às suas mensagens - Microsoft Internet Explorer)
Find Window - Class Name () Window Name (Não faça alteração cadastral por e-mail - Microsoft Internet Explorer)
Find Window - Class Name () Window Name (Não enviamos e-mail sem a sua permissão - Microsoft Internet Explorer)
Find Window - Class Name () Window Name (Cuidado com links e downloads contidos em mensagens promocionais - Microsoft Internet Explorer)
Find Window - Class Name () Window Name (Nunca digite seus dados de acesso em e-mail - Microsoft Internet Explorer)
Find Window - Class Name () Window Name (Memorize suas senhas sem anotá-las - Microsoft Internet Explorer)
Find Window - Class Name () Window Name (A senha de oito números somente é usada para o login - Microsoft Internet Explorer)
Find Window - Class Name () Window Name (>^bR_CHAR(0x0C)_^O VV_CHAR(0x06)_NRÐEJOÿBLü>;FHFö÷9A66B4µ<îë=>:.+2ä$5á,$2/_CHAR(0x1D)_.ÚÛ +*%'ÕÒÞÐü_CHAR(0x17)__CHAR(0x10)__CHAR(0x1E)__CHAR(0x1A)__CHAR(0x1D)__CHAR(0x18)__CHAR(0x0E)__CHAR(0x1B)_Æî_CHAR(0x12)__CHAR(0x17)__CHAR(0x07)__CHAR(0x13)__CHAR(0x0E)__CHAR(0x04)__CHAR(0x12)_½á_CHAR(0x13)_ _CHAR(0x05)__CHAR(0x07)_ û_CHAR(0x07)_)
Enum Windows
Network Activity
DNS Lookup
Host NameIP Address
gsmtp185.google.com64.233.185.27
SMTP: 64.233.185.27:25

Report generated at 13.12.2006 01:27:41 with CWSandbox Version 1.86
This analysis was created by the CWSandbox Copyright © 2006 Carsten Willems
Copyright © 1996-2006 Sunbelt Software. All rights reserved.