Analysis Summary:

Analysis Date24.09.2006 04:04:01
Sandbox VersionBeta 1.81
Filename41ba68620a5aa57b1e3b9ebcd45fbbd0.exe

Technical Details:

Analysis Number1
Parent ID0
Process ID684
Filenamec:\analysis\binary\41ba68620a5aa57b1e3b9ebcd45fbbd0.exe
Filesize15872 bytes
MD541ba68620a5aa57b1e3b9ebcd45fbbd0
Start ReasonAnalysisTarget
Termination ReasonNormalTermination
Start Time00:00.187
Stop Time00:29.562
DetectionTrojan.Clicker-4 (ClamAV)
OK (BDC/Linux-Console)
OK (AntiVir Workstation)
COM COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({000214E6-0000-0000-C000-000000000046})
COM Create Instance: %SystemRoot%\system32\webcheck.dll, ProgID: (), Interface ID: ({085FB2C0-0DF8-11D1-8F4B-00A0C905413F})
COM Create Instance: shdocvw.dll, ProgID: (InternetShortcut), Interface ID: ({CABB0DA0-DA57-11CF-9974-0020AFD79762})
COM Create Instance: C:\WINDOWS\system32\urlmon.dll, ProgID: (), Interface ID: ({79EAC9EE-BAF9-11CE-8C82-00AA004BA90B})
DLL-Handling
Loaded DLLs
c:\analysis\binary\41ba68620a5aa57b1e3b9ebcd45fbbd0.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\shell32.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\Wship6.dll
C:\WINDOWS\system32\pstorec.dll
C:\WINDOWS\system32\ATL.DLL
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\System32\winrnr.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\system32\Secur32.dll
c:\analysis\binary\41ba68620a5aa57b1e3b9ebcd45fbbd0.DEU
c:\analysis\binary\41ba68620a5aa57b1e3b9ebcd45fbbd0.DE
uxtheme.dll
netapi32
appHelp.dll
ole32.dll
advapi32.dll
kernel32.dll
comctl32.dll
RichEd20.dll
SHELL32.dll
C:\WINDOWS\system32\shdoclc.dll
WININET.dll
OLEAUT32.dll
urlmon.dll
VERSION.dll
Filesystem
Opened Files
\\.\PIPE\wkssvc
C:\WINDOWS\system32\shdocvw.dll
C:\WINDOWS\Registration\R000000000014.clb
C:\WINDOWS\system32\webcheck.dll
\SystemRoot\AppPatch\sysmain.sdb
\SystemRoot\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\system32\webcheck.dll
C:\WINDOWS\system32\urlmon.dll
C:\WINDOWS\system32\urlmon.dll
C:\Program Files\Internet Explorer\iexplore.exe
Chronological order
Open File: \\.\PIPE\wkssvc (OPEN_EXISTING)
Get File Attributes: c:\analysis\binary Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\system32\shdocvw.dll (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\Registration\R000000000014.clb (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\webcheck.dll (OPEN_EXISTING)
Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\webcheck.dll ()
Find File: webcheck.dll
Open File: C:\WINDOWS\system32\urlmon.dll (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\urlmon.dll ()
Find File: urlmon.dll
Get File Attributes: C:\Program Files\Internet Explorer\iexplore.exe Flags: (SECURITY_ANONYMOUS)
Open File: C:\Program Files\Internet Explorer\iexplore.exe ()
Find File: iexplore.exe
Mutexes Creates Mutex: ZonesCounterMutex
Creates Mutex: ZonesCacheCounterMutex
Creates Mutex: ZonesLockedCacheCounterMutex
Registry
Reads
Software\Microsoft\Windows\CurrentVersion\ThemeManager "Compositing"
Control Panel\Desktop "LameButtonText"
HKEY_CURRENT_USER\Software\Borland\Delphi\Locales\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility "DisableAppCompat"
HKEY_CURRENT_USER\Software\Borland\Delphi\Locales\Registry\Machine\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1\Registry\Machine\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1\Registry\Machine\Software\Classes\CLSID\{abbe31d0-6dae-11d0-beca-00c04fd940be}\InProcServer32 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1\Registry\Machine\SYSTEM\WPA\MediaCenter "Installed"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers "C:\WINDOWS\system32\webcheck.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1\Registry\Machine\Software\Classes\CLSID\{fbf23b40-e3f0-101b-8488-00aa003e56f8}\InProcServer32 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1\Registry\Machine\Software\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04fb6bfc4}\InProcServer32 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers "C:\WINDOWS\system32\urlmon.dll"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings "DisableImprovedZoneCheck"
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515} "IsInstalled"
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515} "Version"
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Registry\Machine\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32 ""
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Registry\Machine\SYSTEM\WPA\MediaCenter "Installed"
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags "{40858178-4150-4aef-a949-2b3e5f598e31}"
Enums
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\
Process Management Creates Process - Filename (http://www.ifreeclub.com/redir.aspx?oid=1105) CommandLine: () As User: () Creation Flags: ()
Creates Process - Filename (http://www.ifreeclub.com/redir.aspx?oid=1105) CommandLine: () As User: () Creation Flags: ()
System Info Get System Directory
Get Computer Name
Get System Time
User Management Get User Name
Window Enum Windows
Network Activity

The following process was started by process: 1
Analysis Number2
Parent ID1
Process ID1320
FilenameC:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe -nohome
Filesize-1 bytes
MD5
Start ReasonCreateProcess
Termination ReasonTimeout
Start Time00:11.031
Stop Time02:00.156
COM COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({00000000-0000-0000-C000-000000000046})
COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({47851649-A2EF-4E67-BAEC-C6A153AC72EC})
COM Create Instance: %SystemRoot%\system32\SHELL32.dll, ProgID: (), Interface ID: ({EE1F7637-E138-11D1-8379-00C04FD918D0})
COM Create Instance: %SystemRoot%\System32\cscui.dll, ProgID: (), Interface ID: ({0C6C4200-C589-11D0-999A-00C04FD655E1})
COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({85CB6900-4D95-11CF-960C-0080C7F4EE85})
COM Create Instance: , ProgID: (), Interface ID: ({00000149-0000-0000-C000-000000000046})
COM Create Instance: C:\WINDOWS\system32\urlmon.dll, ProgID: (), Interface ID: ({79EAC9EF-BAF9-11CE-8C82-00AA004BA90B})
COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({000214E6-0000-0000-C000-000000000046})
COM Create Instance: C:\WINDOWS\system32\urlmon.dll, ProgID: (), Interface ID: ({79EAC9EE-BAF9-11CE-8C82-00AA004BA90B})
COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({A5ACA655-7FB8-43DC-A433-8D87B69C70A0})
COM Create Instance: C:\WINDOWS\system32\msimtf.dll, ProgID: (), Interface ID: ({08C0E040-62D1-11D1-9326-0060B067B86E})
COM Create Instance: C:\WINDOWS\system32\jscript.dll, ProgID: (JScript), Interface ID: ({BB1A2AE1-A4F9-11CF-8F20-00805F2CD064})
COM Create Instance: , ProgID: (), Interface ID: ({00000146-0000-0000-C000-000000000046})
COM Create Instance: , ProgID: (), Interface ID: ({6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8})
COM Create Instance: C:\WINDOWS\system32\mlang.dll, ProgID: (), Interface ID: ({275C23E1-3747-11D0-9FEA-00AA003F8646})
COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({062E1261-A60E-11D0-82C2-00C04FD5AE38})
COM Get Class Object: %SystemRoot%\system32\shdocvw.dll, Interface ID: ({00000001-0000-0000-C000-000000000046})
COM Get Class Object: oleaut32.dll, Interface ID: ({D5F569D0-593B-101A-B569-08002B2DBF7A})
COM Get Class Object: %SystemRoot%\system32\mshtml.dll, Interface ID: ({00000001-0000-0000-C000-000000000046})
COM Get Class Object: %SystemRoot%\system32\mshtml.dll, Interface ID: ({00000001-0000-0000-C000-000000000046})
COM Get Class Object: C:\WINDOWS\system32\urlmon.dll, Interface ID: ({00000001-0000-0000-C000-000000000046})
DLL-Handling
Loaded DLLs
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\SHDOCVW.dll
C:\WINDOWS\system32\CRYPT32.dll
C:\WINDOWS\system32\MSASN1.dll
C:\WINDOWS\system32\CRYPTUI.dll
C:\WINDOWS\system32\WINTRUST.dll
C:\WINDOWS\system32\IMAGEHLP.dll
C:\WINDOWS\system32\OLEAUT32.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\NETAPI32.dll
C:\WINDOWS\system32\WININET.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\Wship6.dll
C:\WINDOWS\system32\pstorec.dll
C:\WINDOWS\system32\ATL.DLL
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\System32\winrnr.dll
C:\WINDOWS\system32\Secur32.dll
SHELL32.dll
ole32.dll
uxtheme.dll
comctl32.dll
BROWSEUI.dll
shdocvw.dll
C:\WINDOWS\system32\browselc.dll
appHelp.dll
OLEAUT32.dll
WININET.dll
OLE32
SXS.DLL
urlmon.dll
C:\WINDOWS\system32\shdoclc.dll
xpsp2res.dll
mlang.dll
RASAPI32.DLL
RTUTILS.DLL
WS2_32.dll
USERENV.dll
netapi32.dll
IMM32.DLL
OLEAUT32
advapi32.dll
USER32.DLL
Filesystem
New Files
\Device\RasAcd
C:\Documents and Settings\foobar\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
Opened Files
C:\WINDOWS\Registration\R000000000014.clb
C:\WINDOWS\System32\cscui.dll
\\.\shadow
\\.\PIPE\lsarpc
C:\WINDOWS\system32\shdocvw.dll
C:\WINDOWS\system32\stdole2.tlb
c:\autoexec.bat
Chronological order
Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\Registration\R000000000014.clb (OPEN_EXISTING)
Open File: C:\WINDOWS\System32\cscui.dll (OPEN_EXISTING)
Open File: \\.\shadow (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Get File Attributes: C:\Documents and Settings\foobar\Favorites\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\foobar\Favorites\Links Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\foobar\Local Settings\Temporary Internet Files\desktop.ini Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\system32\shdocvw.dll (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\stdole2.tlb (OPEN_EXISTING)
Get File Attributes: c:\autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:\autoexec.bat (OPEN_EXISTING)
Find File: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
Find File: C:\WINDOWS\system32\Ras\*.pbk
Find File: C:\Documents and Settings\foobar\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
Create/Open File: \Device\RasAcd (OPEN_ALWAYS)
Get File Attributes: C:\Documents and Settings\foobar\Local Settings\Application Data\Microsoft Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\foobar\Local Settings\Application Data\Microsoft\Internet Explorer Flags: (SECURITY_ANONYMOUS)
Create/Open File: C:\Documents and Settings\foobar\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT (OPEN_ALWAYS)
Get File Attributes: C:\Documents and Settings\foobar\Local Settings\History\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\system32\NOTEPAD.EXE Flags: (SECURITY_ANONYMOUS)
INI Files
Read INI File
C:\Documents and Settings\foobar\Favorites\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\foobar\Favorites\desktop.ini [.ShellClassInfo] LocalizedResourceName =
C:\Documents and Settings\foobar\Local Settings\Temporary Internet Files\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\foobar\Local Settings\Temporary Internet Files\desktop.ini [.ShellClassInfo] LocalizedResourceName =
WIN.INI [windows] DragScrollInset =
WIN.INI [windows] DragScrollDelay =
WIN.INI [windows] DragDelay =
WIN.INI [windows] DragScrollInterval =
C:\Documents and Settings\foobar\Local Settings\History\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\foobar\Local Settings\History\desktop.ini [.ShellClassInfo] LocalizedResourceName =
Mutexes Creates Mutex: Shell.CMruPidlList
Creates Mutex: ZonesCounterMutex
Creates Mutex: ZonesCacheCounterMutex
Creates Mutex: ZonesLockedCacheCounterMutex
Creates Mutex: RasPbFile
Creates Mutex: CTF.LBES.MutexDefaultS-1-5-21-1757981266-1202660629-839522115-1003
Creates Mutex: CTF.Compart.MutexDefaultS-1-5-21-1757981266-1202660629-839522115-1003
Creates Mutex: CTF.Asm.MutexDefaultS-1-5-21-1757981266-1202660629-839522115-1003
Creates Mutex: CTF.Layouts.MutexDefaultS-1-5-21-1757981266-1202660629-839522115-1003
Creates Mutex: CTF.TMD.MutexDefaultS-1-5-21-1757981266-1202660629-839522115-1003
Creates Mutex: MSIMGSIZECacheMutex
Opens Mutex: WininetStartupMutex
Opens Mutex: _!SHMSFTHISTORY!_
Registry
Reads
Software\Microsoft\Windows\CurrentVersion\ThemeManager "Compositing"
Control Panel\Desktop "LameButtonText"
\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility "DisableAppCompat"
\Registry\Machine\Software\Classes\CLSID\{a5e46e3a-8849-11d1-9d8c-00c04fc99d61}\InProcServer32 ""
HKEY_CLASSES_ROOT\.htm ""
HKEY_CLASSES_ROOT\.htm "Content Type"
HKEY_CLASSES_ROOT\.html ""
HKEY_CLASSES_ROOT\.html "Content Type"
\Registry\Machine\Software\Classes\CLSID\{5b4dae26-b807-11d0-9815-00c04fd91972}\InProcServer32 ""
\Registry\Machine\Software\Classes\CLSID\{750fdf0e-2a26-11d1-a3ea-080036587f03}\InProcServer32 ""
HKEY_CLASSES_ROOT\http "EditFlags"
HKEY_CLASSES_ROOT\http "URL Protocol"
HKEY_CLASSES_ROOT\https "EditFlags"
HKEY_CLASSES_ROOT\https "URL Protocol"
HKEY_CLASSES_ROOT\ftp "EditFlags"
HKEY_CLASSES_ROOT\ftp "URL Protocol"
HKEY_CLASSES_ROOT\gopher "EditFlags"
HKEY_CLASSES_ROOT\gopher "URL Protocol"
HKEY_CLASSES_ROOT\telnet ""
HKEY_CLASSES_ROOT\telnet "EditFlags"
HKEY_CLASSES_ROOT\telnet "URL Protocol"
HKEY_CLASSES_ROOT\telnet\DefaultIcon ""
HKEY_CLASSES_ROOT\telnet\shell\open\command ""
HKEY_CLASSES_ROOT\rlogin ""
HKEY_CLASSES_ROOT\rlogin "EditFlags"
HKEY_CLASSES_ROOT\rlogin "URL Protocol"
HKEY_CLASSES_ROOT\rlogin\DefaultIcon ""
HKEY_CLASSES_ROOT\rlogin\shell\open\command ""
HKEY_CLASSES_ROOT\tn3270 ""
HKEY_CLASSES_ROOT\tn3270 "EditFlags"
HKEY_CLASSES_ROOT\tn3270 "URL Protocol"
HKEY_CLASSES_ROOT\tn3270\DefaultIcon ""
HKEY_CLASSES_ROOT\tn3270\shell\open\command ""
HKEY_CLASSES_ROOT\mailto ""
HKEY_CLASSES_ROOT\mailto "EditFlags"
HKEY_CLASSES_ROOT\mailto "URL Protocol"
HKEY_CLASSES_ROOT\mailto\DefaultIcon ""
HKEY_CLASSES_ROOT\mailto\shell\open\command ""
HKEY_CLASSES_ROOT\news ""
HKEY_CLASSES_ROOT\news "EditFlags"
HKEY_CLASSES_ROOT\news "URL Protocol"
HKEY_CLASSES_ROOT\news\DefaultIcon ""
HKEY_CLASSES_ROOT\news\shell\open\command ""
HKEY_CLASSES_ROOT\.url ""
HKEY_CLASSES_ROOT\InternetShortcut ""
HKEY_CLASSES_ROOT\InternetShortcut "EditFlags"
HKEY_CLASSES_ROOT\InternetShortcut "IsShortcut"
HKEY_CLASSES_ROOT\InternetShortcut "NeverShowExt"
HKEY_CLASSES_ROOT\InternetShortcut\CLSID ""
HKEY_CLASSES_ROOT\InternetShortcut\DefaultIcon ""
HKEY_CLASSES_ROOT\InternetShortcut\shellex\IconHandler ""
HKEY_CLASSES_ROOT\InternetShortcut\shellex\PropertySheetHandlers\{FBF23B40-E3F0-101B-8488-00AA003E56F8} ""
HKEY_CLASSES_ROOT\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8} ""
HKEY_CLASSES_ROOT\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8}\InProcServer32 ""
HKEY_CLASSES_ROOT\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8}\InProcServer32 "ThreadingModel"
HKEY_CLASSES_ROOT\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8}\InProcServer32 "LoadWithoutCOM"
HKEY_CLASSES_ROOT\http\shell\open\command ""
HKEY_CLASSES_ROOT\http\shell\open\ddeexec ""
HKEY_CLASSES_ROOT\http\shell\open\ddeexec "NoActivateHandler"
HKEY_CLASSES_ROOT\http\shell\open\ddeexec\Application ""
HKEY_CLASSES_ROOT\http\shell\open\ddeexec\Topic ""
HKEY_CLASSES_ROOT\https\shell\open\command ""
HKEY_CLASSES_ROOT\https\shell\open\ddeexec ""
HKEY_CLASSES_ROOT\https\shell\open\ddeexec "NoActivateHandler"
HKEY_CLASSES_ROOT\https\shell\open\ddeexec\Application ""
HKEY_CLASSES_ROOT\https\shell\open\ddeexec\Topic ""
HKEY_CLASSES_ROOT\ftp\shell\open\command ""
HKEY_CLASSES_ROOT\ftp\shell\open\ddeexec ""
HKEY_CLASSES_ROOT\ftp\shell\open\ddeexec "NoActivateHandler"
HKEY_CLASSES_ROOT\ftp\shell\open\ddeexec\Application ""
HKEY_CLASSES_ROOT\ftp\shell\open\ddeexec\Topic ""
HKEY_CLASSES_ROOT\ftp\shell\open\ddeexec\ifExec ""
HKEY_CLASSES_ROOT\gopher\shell\open\command ""
HKEY_CLASSES_ROOT\gopher\shell\open\ddeexec ""
HKEY_CLASSES_ROOT\gopher\shell\open\ddeexec "NoActivateHandler"
HKEY_CLASSES_ROOT\gopher\shell\open\ddeexec\Application ""
HKEY_CLASSES_ROOT\gopher\shell\open\ddeexec\Topic ""
HKEY_CLASSES_ROOT\htmlfile\shell ""
HKEY_CLASSES_ROOT\htmlfile\shell\open ""
HKEY_CLASSES_ROOT\htmlfile\shell\open\command ""
HKEY_CLASSES_ROOT\htmlfile\shell\open\ddeexec ""
HKEY_CLASSES_ROOT\htmlfile\shell\open\ddeexec "NoActivateHandler"
HKEY_CLASSES_ROOT\htmlfile\shell\open\ddeexec\Application ""
HKEY_CLASSES_ROOT\htmlfile\shell\open\ddeexec\Topic ""
HKEY_CLASSES_ROOT\mhtmlfile\shell ""
HKEY_CLASSES_ROOT\htmlfile\shell\opennew ""
HKEY_CLASSES_ROOT\htmlfile\shell\opennew\command ""
HKEY_CLASSES_ROOT\htmlfile\shell\opennew\ddeexec ""
HKEY_CLASSES_ROOT\htmlfile\shell\opennew\ddeexec\IfExec ""
HKEY_CLASSES_ROOT\htmlfile\shell\opennew\ddeexec "NoActivateHandler"
HKEY_CLASSES_ROOT\htmlfile\shell\opennew\ddeexec\Application ""
HKEY_CLASSES_ROOT\htmlfile\shell\opennew\ddeexec\Topic ""
HKEY_CLASSES_ROOT\mhtmlfile\shell\open ""
HKEY_CLASSES_ROOT\mhtmlfile\shell\open\command ""
HKEY_CLASSES_ROOT\mhtmlfile\shell\open\ddeexec ""
HKEY_CLASSES_ROOT\mhtmlfile\shell\open\ddeexec\Application ""
HKEY_CLASSES_ROOT\mhtmlfile\shell\open\ddeexec\Topic ""
HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew ""
HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew\command ""
HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew\ddeexec ""
HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew\ddeexec\IfExec ""
HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew\ddeexec "NoActivateHandler"
HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew\ddeexec\Application ""
HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew\ddeexec\Topic ""
HKEY_CLASSES_ROOT\CLSID\{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} ""
HKEY_CLASSES_ROOT\InternetShortcut\shell\open\command ""
HKEY_CLASSES_ROOT\InternetShortcut\shell\open "CLSID"
HKEY_CLASSES_ROOT\InternetShortcut\shell\open "LegacyDisable"
HKEY_CLASSES_ROOT\InternetShortcut\shellex\ContextMenuHandlers\{FBF23B40-E3F0-101B-8488-00AA003E56F8} ""
HKEY_CLASSES_ROOT\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8}\shellex\MayChangeDefaultMenu ""
HKEY_CLASSES_ROOT\InternetShortcut\shellex\PropertyHandler ""
HKEY_CLASSES_ROOT\Applications\iexplore.exe\shell\open\command ""
HKEY_CLASSES_ROOT\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32 ""
\Registry\Machine\Software\Classes\CLSID\{9ba05972-f6a8-11cf-a442-00a0c90a8f39}\InProcServer32 ""
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer "Debug"
HKEY_CLASSES_ROOT "Interface\{85CB6900-4D95-11CF-960C-0080C7F4EE85}\ProxyStubClsid32"
HKEY_CLASSES_ROOT "Interface\{85CB6900-4D95-11CF-960C-0080C7F4EE85}\Forward"
HKEY_CLASSES_ROOT\Interface\{85CB6900-4D95-11CF-960C-0080C7F4EE85}\TypeLib ""
HKEY_CLASSES_ROOT\Interface\{85CB6900-4D95-11CF-960C-0080C7F4EE85}\TypeLib "Version"
HKEY_CLASSES_ROOT\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0\win32 ""
HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 "win32"
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc "UDTAlignmentPolicy"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings "DisableImprovedZoneCheck"
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} "Locale"
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} "IsInstalled"
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} "Version"
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} "Version available"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings "User Agent"
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "DefaultAuthLevel"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UrlMon Settings\Registry\Machine\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32 ""
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UrlMon Settings\Registry\Machine\Software\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04fb6bfc4}\InProcServer32 ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "IsTextPlainHonored"
HKEY_CLASSES_ROOT\MIME\Database\Content Type\text/html "Extension"
KEY(742156) "NumShape"
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\*\\Registry\Machine\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32 ""
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\*\\Registry\Machine\Software\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04fb6bfc4}\InProcServer32 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared\ "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\ "EnableAnchorContext"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF "Disable Thread Input Manager"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile\0x00000407\{09EA4E4B-46CE-4469-B450-0DE76A435BBB} "Enable"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile\0x00000409\{09EA4E4B-46CE-4469-B450-0DE76A435BBB} "Enable"
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\LanguageProfile\Registry\Machine\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32 ""
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 "COM+Enabled"
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Registry\Machine\Software\Classes\CLSID\{7b8a2d95-0ac9-11d1-896c-00c04fb6bfc4}\InProcServer32 ""
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Registry\Machine\Software\Classes\CLSID\{ff393560-c2a7-11cf-bff4-444553540000}\InProcServer32 ""
Enums
HKEY_CLASSES_ROOT\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}
HKEY_CLASSES_ROOT\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP
HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile
HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile\0x00000407
HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile\0x00000409
Process Management Open Process - Filename (C:\WINDOWS\Explorer.EXE) Target PID: (1584)
Service Management Open Service Manager - Name: "SCM"
Open Service - Name: "RASMAN"
System Info Get System Directory
Get Computer Name
Get System Time
User Management Impersonate User - Domain: () User: (foobar)
Impersonate User - Domain: () User: (foobar)
Get User Name
Window Find Window - Class Name ($C0C7) Window Name ()
Find Window - Class Name (Shell_TrayWnd) Window Name ()
Find Window - Class Name (IEFrame) Window Name ()
Find Window - Class Name (MS_AutodialMonitor) Window Name ()
Find Window - Class Name (MS_WebcheckMonitor) Window Name ()
Enum Windows
Network Activity
UDP Connections
Download URLs
http://64.34.179.202/redir.aspx?oid=1105
http://64.34.179.202/home.aspx
http://64.34.179.202/images/b2.jpg
http://64.34.179.202/images/b3.jpg
http://64.34.179.202/images/b4.jpg
http://64.34.179.202/images/b6.jpg
http://64.34.179.202/images/comp_solution.jpg
http://64.34.179.202/images/midl.jpg
http://64.34.179.202/images/bottom_left.jpg
http://64.34.179.202/images/free_offer.jpg
http://64.34.179.202/images/small.jpg
http://64.34.179.202/images/preview_mode.jpg
http://64.34.179.202/images/win2_back.jpg
http://64.34.179.202/images/bottom1.jpg
http://64.34.179.202/images/left_blank.jpg
http://64.34.179.202/images/line_right.jpg
http://64.34.179.202/images/years_savings.jpg
http://64.34.179.202/images/win3_back.jpg
http://64.34.179.202/images/say3.jpg
http://64.34.179.202/images/about_us.jpg
http://64.34.179.202/images/footer.jpg
http://64.34.179.202/images/b3r.jpg
http://64.34.179.202/images/b5r.jpg
http://64.34.179.202/images/b1.jpg
http://64.34.179.202/images/top.jpg
http://64.34.179.202/images/b5.jpg
http://64.34.179.202/images/categories.jpg
http://64.34.179.202/images/back_left.jpg
http://64.34.179.202/images/your_account.jpg
http://64.34.179.202/images/win1_back.jpg
http://64.34.179.202/images/login_but.jpg
http://64.34.179.202/images/pic9.gif
http://64.34.179.202/images/info.jpg
http://64.34.179.202/images/welcome.jpg
http://64.34.179.202/images/line.jpg
http://64.34.179.202/images/bottom2.jpg
http://64.34.179.202/images/tracking.jpg
http://64.34.179.202/images/say1.jpg
http://64.34.179.202/images/say2.jpg
http://64.34.179.202/images/pic.jpg
http://64.34.179.202/images/bottom3.jpg
http://64.34.179.202/images/b2r.jpg
http://64.34.179.202/images/b4r.jpg
Outgoing connection to remote server: 64.34.179.202 TCP port 80
Outgoing connection to remote server: 64.34.179.202 TCP port 80

Analysis Number3
Parent ID0
Process ID528
Filenameservices.exe
Filesize-1 bytes
MD5
Start ReasonSCM
Termination ReasonTimeout
Start Time00:28.797
Stop Time02:00.156

Report generated at 24.09.2006 04:04:01 with CWSandbox Version Beta 1.81
This analysis was created by the CWSandbox Copyright © 2006 Carsten Willems
Copyright © 1996-2006 Sunbelt Software. All rights reserved.