anubis left
Anubis - Analysis Report
anubis right

Analysis Report for SimpleCSSHack.exe

 Comment on this report

Summary:

Description Risk
Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web. medium
Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary. high
Spawns Processes: The executable produces processes during the execution. low
Performs Registry Activities: The executable reads and modifies registry values. It may also create and monitor registry keys. low


Table of Contents
expand all expand all   collapse all collapse all

1. General Information

  - Information about Anubis' invocation  
Time needed: 241 s 
Report created: 09/25/09, 15:34:13 UTC 
Termination reason: Timeout 
Program version: 1.72.0 

2. SimpleCSSHack.exe

  - General information about this executable  
Analysis Reason: Primary Analysis Subject 
Filename: SimpleCSSHack.exe 
MD5: 19aeee58a6cbf39c3dcb1769a09f856e 
SHA-1: 16b26311b0c03199f405ac802e93a41dfbf4febd 
File Size: 572024 Bytes
Command Line: "C:\SimpleCSSHack.exe"  
Process-status at analysis end: alive 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​user32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​advapi32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​oleaut32.dll  0x77120000  0x0008B000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 

  - Run-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​NETAPI32.dll  0x5B860000  0x00055000 
C:\​WINDOWS\​system32\​comctl32.dll  0x5D090000  0x0009A000 
C:\​WINDOWS\​system32\​faultrep.dll  0x69450000  0x00016000 
C:\​WINDOWS\​system32\​MSCTF.dll  0x74720000  0x0004C000 
C:\​WINDOWS\​system32\​WINSTA.dll  0x76360000  0x00010000 
C:\​WINDOWS\​system32\​USERENV.dll  0x769C0000  0x000B4000 
C:\​WINDOWS\​system32\​WTSAPI32.dll  0x76F50000  0x00008000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll  0x773D0000  0x00103000 
C:\​WINDOWS\​system32\​SETUPAPI.dll  0x77920000  0x000F3000 
C:\​WINDOWS\​system32\​apphelp.dll  0x77B40000  0x00022000 
C:\​WINDOWS\​system32\​VERSION.dll  0x77C00000  0x00008000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​system32\​shell32.dll  0x7C9C0000  0x00817000 

  - Popups  
Window Name Window Text Screenshot Number of Displayed Times
Initialization Error  OK This software requires the .NET Framework 2.0 or higher. Please install the .NET Framework and run this software again.   screenshot

2.a) SimpleCSSHack.exe - Registry Activities

  - Registry Values Read:  
Key Name Value Times
HKLM\​SOFTWARE\​Microsoft\​CTF\​SystemShared\​  CUAS 
HKLM\​SYSTEM\​CurrentControlSet\​Control\​Session Manager  CriticalSectionTimeout  2592000 
HKLM\​SYSTEM\​Setup  OsLoaderPath  \​ 
HKLM\​SYSTEM\​Setup  SystemPartition  \​Device\​HarddiskVolume1 
HKLM\​SYSTEM\​Setup  SystemSetupInProgress 
HKLM\​SYSTEM\​WPA\​MediaCenter  Installed 
HKLM\​Software\​Microsoft\​PCHealth\​ErrorReporting  AllOrNone 
HKLM\​Software\​Microsoft\​PCHealth\​ErrorReporting  DoReport 
HKLM\​Software\​Microsoft\​PCHealth\​ErrorReporting  IncludeKernelFaults 
HKLM\​Software\​Microsoft\​PCHealth\​ErrorReporting  IncludeMicrosoftApps 
HKLM\​Software\​Microsoft\​PCHealth\​ErrorReporting  IncludeWindowsApps 
HKLM\​Software\​Microsoft\​PCHealth\​ErrorReporting  ShowUI 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​AeDebug  Auto 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​AeDebug  Debugger  drwtsn32 -p %ld -e %ld -g 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Windows  AppInit_DLLs   
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion  DevicePath  %SystemRoot%\​inf 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  DriverCachePath  %SystemRoot%\​Driver Cache 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  LogLevel 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  ServicePackCachePath  c:\​windows\​ServicePackFiles\​ServicePackCache 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  ServicePackSourcePath  D:\​ 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  SourcePath  D:\​ 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  AuthenticodeEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  DefaultLevel  262144 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  PolicyScope 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemData  0x5eab304f957a49896a006c1c31154015 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemSize  779 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemData  0x67b0d48b343a3fd3bce9dc646704f394 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemSize  517 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemData  0x327802dcfef8c893dc8ab006dd847d1d 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemSize  918 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemData  0xbd9a2adb42ebd8560e250e4df8162f67 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemSize  229 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemData  0x386b085f84ecf669d36b956a22c01e80 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemSize  370 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  ItemData  %HKEY_CURRENT_USER\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders\​Cache%OLK* 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  SaferFlags 
HKLM\​System\​CurrentControlSet\​Control\​ComputerName\​ActiveComputerName  ComputerName  PC 
HKLM\​System\​CurrentControlSet\​Control\​ProductOptions  ProductType  WinNT 
HKLM\​System\​CurrentControlSet\​Control\​Terminal Server  TSAppCompat 
HKLM\​System\​CurrentControlSet\​Control\​Terminal Server  TSUserEnabled 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  Domain   
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  Hostname  pc 
HKLM\​System\​Setup  SystemSetupInProgress 
HKLM\​System\​WPA\​PnP  seed  1274198464 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Keyboard Layout\​Toggle  Language Hotkey 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Keyboard Layout\​Toggle  Layout Hotkey 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cache  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Local Settings  %USERPROFILE%\​Local Settings 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Personal  %USERPROFILE%\​My Documents 

2.b) SimpleCSSHack.exe - File Activities

  - Files Created:  
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\c19b_appcompat.txt

  - Files Read:  
C:\SimpleCSSHack.exe
C:\WINDOWS\system32\winsock.dll
PIPE\lsarpc

  - Files Modified:  
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\c19b_appcompat.txtinfo
PIPE\lsarpcinfo

  - File System Control Communication:  
File Control Code Times
C:\  0x00090028 
PIPE\lsarpc  0x0011C017 

  - Device Control Communication:  
File Control Code Times
\Device\KsecDD  0x00390008 

  - Memory Mapped Files:  
File Name
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\system32\Apphelp.dll
C:\WINDOWS\system32\MSCTF.dll
C:\WINDOWS\system32\SETUPAPI.dll
C:\WINDOWS\system32\WINSTA.dll
C:\WINDOWS\system32\WTSAPI32.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\apphelp.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\faultrep.dll
C:\WINDOWS\system32\gdi32.dll
C:\WINDOWS\system32\imm32.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\rpcss.dll
C:\WINDOWS\system32\shell32.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\wininet.dll
C:\WINDOWS\system32\winsock.dll
C:\Windows\AppPatch\sysmain.sdb

2.c) SimpleCSSHack.exe - Process Activities

  - Processes Created:  
Executable Command Line
C:\WINDOWS\system32\dwwin.exe   
  C:\WINDOWS\system32\dwwin.exe -x -s 216 
C:\WINDOWS\system32\drwtsn32.exe   
  C:\WINDOWS\system32\drwtsn32 -p 1576 -e 180 -g 

  - Remote Threads Created:  
Affected Process
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\drwtsn32.exe

  - Foreign Memory Regions Read:  
Process: C:\WINDOWS\system32\drwtsn32.exe
Process: C:\WINDOWS\system32\dwwin.exe

  - Foreign Memory Regions Written:  
Process: C:\WINDOWS\system32\drwtsn32.exe
Process: C:\WINDOWS\system32\dwwin.exe

2.d) SimpleCSSHack.exe - Other Activities

  - Mutexes Created:  
CTF.Asm.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.Compart.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.LBES.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.Layouts.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.TMD.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.TimListCache.FMPDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500MUTEX.DefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
MSCTF.Shared.MUTEX.IM

  - Keyboard Keys Monitored:  
Virtual Key Code Times
VK_MENU (18) 
VK_CONTROL (17) 
VK_SHIFT (16) 
VK_LWIN (91) 
VK_RWIN (92) 

  - Windows SEH exceptions:  
Description Times
Exception 0xeedfade at 0x7c812aeb 
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x421361 

3. dwwin.exe

  - General information about this executable  
Analysis Reason: Started by SimpleCSSHack.exe 
Filename: dwwin.exe 
MD5: 86042f6f6a5287eaf9379c91d0bf72b6 
SHA-1: 532bf74e6aead7438aa7264d01759a065410ee68 
File Size: 180224 Bytes
Command Line: C:\WINDOWS\system32\dwwin.exe -x -s 216 
Process-status at analysis end: dead 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​ADVAPI32.DLL  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​COMCTL32.DLL  0x5D090000  0x0009A000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​OLEAUT32.DLL  0x77120000  0x0008B000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 
C:\​WINDOWS\​system32\​SHELL32.DLL  0x7C9C0000  0x00817000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​system32\​URLMON.DLL  0x7E1E0000  0x000A2000 
C:\​WINDOWS\​system32\​VERSION.dll  0x77C00000  0x00008000 
C:\​WINDOWS\​system32\​WININET.DLL  0x771B0000  0x000AA000 
C:\​WINDOWS\​system32\​CRYPT32.dll  0x77A80000  0x00095000 
C:\​WINDOWS\​system32\​MSASN1.dll  0x77B20000  0x00012000 
C:\​WINDOWS\​system32\​ShimEng.dll  0x5CB70000  0x00026000 
C:\​WINDOWS\​AppPatch\​AcGenral.DLL  0x6F880000  0x001CA000 
C:\​WINDOWS\​system32\​WINMM.dll  0x76B40000  0x0002D000 
C:\​WINDOWS\​system32\​MSACM32.dll  0x77BE0000  0x00015000 
C:\​WINDOWS\​system32\​USERENV.dll  0x769C0000  0x000B4000 
C:\​WINDOWS\​system32\​UxTheme.dll  0x5AD70000  0x00038000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll  0x773D0000  0x00103000 

  - Run-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​1033\​dwintl.dll  0x314C0000  0x0000C000 
C:\​WINDOWS\​system32\​NETAPI32.dll  0x5B860000  0x00055000 
C:\​WINDOWS\​system32\​WS2HELP.dll  0x71AA0000  0x00008000 
C:\​WINDOWS\​system32\​WS2_32.dll  0x71AB0000  0x00017000 
C:\​WINDOWS\​system32\​sensapi.dll  0x722B0000  0x00005000 
C:\​WINDOWS\​system32\​MSCTF.dll  0x74720000  0x0004C000 
C:\​WINDOWS\​system32\​riched20.dll  0x74E30000  0x0006D000 
C:\​WINDOWS\​system32\​imm32.dll  0x76390000  0x0001D000 
C:\​WINDOWS\​system32\​shfolder.dll  0x76780000  0x00009000 
C:\​WINDOWS\​system32\​PSAPI.DLL  0x76BF0000  0x0000B000 
C:\​WINDOWS\​system32\​rtutils.dll  0x76E80000  0x0000E000 
C:\​WINDOWS\​system32\​rasman.dll  0x76E90000  0x00012000 
C:\​WINDOWS\​system32\​TAPI32.dll  0x76EB0000  0x0002F000 
C:\​WINDOWS\​system32\​RASAPI32.DLL  0x76EE0000  0x0003C000 

  - Popups  
Window Name Window Text Screenshot Number of Displayed Times
SimpleCSSHack.exe  &Don't Send SimpleCSSHack.exe has encountered a problem and needs to close. We are sorry for the inconvenience. SimpleCSSHack.exe has encountered a problem and needs to close. We are sorry for the inconvenience. If you were in the middle of something, the information you were working on might be lost. Please tell Microsoft about this problem. We have created an error report that you can send to us. We will treat this report as confidential and anonymous. To see what data this error report contains, Details &Send Error Report   screenshot

3.a) dwwin.exe - Registry Activities

  - Registry Values Modified:  
Key Name New Value
HKLM\​SYSTEM\​CURRENTCONTROLSET\​HARDWARE PROFILES\​CURRENT\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  info ProxyEnable 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Common AppData  C:\​Documents and Settings\​All Users\​Application Data 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths  info Directory  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths  info Paths 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path1  info CacheLimit  40852 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path1  info CachePath  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5\​Cache1 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path2  info CacheLimit  40852 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path2  info CachePath  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5\​Cache2 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path3  info CacheLimit  40852 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path3  info CachePath  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5\​Cache3 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path4  info CacheLimit  40852 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path4  info CachePath  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5\​Cache4 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  AppData  C:\​Documents and Settings\​Administrator\​Application Data 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cache  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cookies  C:\​Documents and Settings\​Administrator\​Cookies 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  History  C:\​Documents and Settings\​Administrator\​Local Settings\​History 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Personal  C:\​Documents and Settings\​Administrator\​My Documents 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  info MigrateProxy 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  info ProxyEnable 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings\​Connections  info SavedLegacySettings  0x3c0000000500000009000000000000000000000000000000000000000000 

  - Registry Values Read:  
Key Name Value Times
HKLM\​SOFTWARE\​CLASSES\​AUTOPROXYTYPES\​APPLICATION/X-INTERNET-SIGNUP  Default  0x00000000 
HKLM\​SOFTWARE\​CLASSES\​AUTOPROXYTYPES\​APPLICATION/X-INTERNET-SIGNUP  DllFile  %SystemRoot%\​system32\​iedkcs32.dll 
HKLM\​SOFTWARE\​CLASSES\​AUTOPROXYTYPES\​APPLICATION/X-INTERNET-SIGNUP  FileExtensions  .ins 
HKLM\​SOFTWARE\​CLASSES\​AUTOPROXYTYPES\​APPLICATION/X-NS-PROXY-AUTOCONFIG  Default  0x01000000 
HKLM\​SOFTWARE\​CLASSES\​AUTOPROXYTYPES\​APPLICATION/X-NS-PROXY-AUTOCONFIG  DllFile  %SystemRoot%\​system32\​jsproxy.dll 
HKLM\​SOFTWARE\​CLASSES\​AUTOPROXYTYPES\​APPLICATION/X-NS-PROXY-AUTOCONFIG  FileExtensions  .pac;.jvs;.js 
HKLM\​SOFTWARE\​CLASSES\​AUTOPROXYTYPES\​APPLICATION/X-NS-PROXY-AUTOCONFIG  Flags  0x01000000 
HKLM\​SOFTWARE\​Microsoft\​CTF\​SystemShared\​  CUAS 
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  UrlEncoding  0x00000000 
HKLM\​SYSTEM\​CurrentControlSet\​Control\​Session Manager  CriticalSectionTimeout  2592000 
HKLM\​SYSTEM\​Setup  SystemSetupInProgress 
HKLM\​SYSTEM\​WPA\​MediaCenter  Installed 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.iac2  aFormatTagCache  0x01000000100000000204000014000000 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.iac2  cFilterTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.iac2  cFormatTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.iac2  fdwSupport 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.imaadpcm  aFormatTagCache  0x01000000100000001100000014000000 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.imaadpcm  cFilterTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.imaadpcm  cFormatTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.imaadpcm  fdwSupport 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.l3acm  aFormatTagCache  0x0100000010000000550000001e000000 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.l3acm  cFilterTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.l3acm  cFormatTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.l3acm  fdwSupport 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msadpcm  aFormatTagCache  0x01000000100000000200000032000000 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msadpcm  cFilterTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msadpcm  cFormatTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msadpcm  fdwSupport 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msaudio1  aFormatTagCache  0x01000000120000006001000016000000610100001c000000 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msaudio1  cFilterTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msaudio1  cFormatTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msaudio1  fdwSupport 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msg711  aFormatTagCache  0x010000001000000006000000120000000700000012000000 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msg711  cFilterTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msg711  cFormatTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msg711  fdwSupport 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msg723  aFormatTagCache  0x0100000010000000420000001c000000 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msg723  cFilterTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msg723  cFormatTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msg723  fdwSupport 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msgsm610  aFormatTagCache  0x01000000100000003100000014000000 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msgsm610  cFilterTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msgsm610  cFormatTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msgsm610  fdwSupport 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.sl_anet  aFormatTagCache  0x01000000100000003001000016000000 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.sl_anet  cFilterTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.sl_anet  cFormatTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.sl_anet  fdwSupport 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.trspch  aFormatTagCache  0x01000000100000002200000032000000 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.trspch  cFilterTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.trspch  cFormatTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.trspch  fdwSupport 
HKLM\​Software\​Microsoft\​Internet Explorer\​Main\​FeatureControl\​FEATURE_BEHAVIORS 
HKLM\​Software\​Microsoft\​Internet Explorer\​Main\​FeatureControl\​FEATURE_DISABLE_MK_PROTOCOL 
HKLM\​Software\​Microsoft\​Tracing  EnableConsoleTracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  ConsoleTracingMask  4294901760 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  EnableConsoleTracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  EnableFileTracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  FileDirectory  %windir%\​tracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  FileTracingMask  4294901760 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  MaxFileSize  1048576 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion  DigitalProductId  0xa40000000300000037363438372d3634302d313435373233362d32333833 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​AeDebug  Debugger  drwtsn32 -p %ld -e %ld -g 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  midimapper   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  msacm.iac2  C:\​WINDOWS\​system32\​iac25_32.ax 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  msacm.imaadpcm  imaadp32.acm 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  msacm.l3acm   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  msacm.msadpcm   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  msacm.msaudio1   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  msacm.msg711   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  msacm.msg723   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  msacm.msgsm610  msgsm32.acm 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  msacm.sl_anet   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  msacm.trspch   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.I420   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.M261   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.M263   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.cvid   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.iv31   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.iv32   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.iv41   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.iv50   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.iyuv   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.mrle   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.msvc   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.uyvy   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.yuy2   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.yvu9   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.yvyu   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  wavemapper   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList  AllUsersProfile  All Users 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList  DefaultUserProfile  Default User 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList  ProfilesDirectory  %SystemDrive%\​Documents and Settings 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList\​S-1-5-21-842925246-1425521274-308236825-500  ProfileImagePath  %SystemDrive%\​Documents and Settings\​Administrator 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Windows  AppInit_DLLs   
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion  CommonFilesDir  C:\​Program Files\​Common Files 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion  ProgramFilesDir  C:\​Program Files 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Common AppData  %ALLUSERSPROFILE%\​Application Data 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 
HKLM\​System\​CurrentControlSet\​Control\​ComputerName\​ActiveComputerName  ComputerName  PC 
HKLM\​System\​CurrentControlSet\​Control\​MediaProperties\​PrivateProperties\​Joystick\​Winmm  wheel 
HKLM\​System\​CurrentControlSet\​Control\​ProductOptions  ProductType  WinNT 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  ComSpec  %SystemRoot%\​system32\​cmd.exe 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  FP_NO_HOST_CHECK  NO 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  NUMBER_OF_PROCESSORS 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  OS  Windows_NT 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PATHEXT  .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_ARCHITECTURE  x86 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_IDENTIFIER  x86 Family 6 Model 3 Stepping 3, GenuineIntel 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_LEVEL 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_REVISION  0303 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  Path  %SystemRoot%\​system32;%SystemRoot%;%SystemRoot%\​System32\​Wbem 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  TEMP  %SystemRoot%\​TEMP 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  TMP  %SystemRoot%\​TEMP 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  windir  %SystemRoot% 
HKLM\​System\​CurrentControlSet\​Control\​Terminal Server  TSAppCompat 
HKLM\​System\​CurrentControlSet\​Control\​Terminal Server  TSUserEnabled 
HKLM\​System\​Setup  SystemSetupInProgress 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Environment  TEMP  %USERPROFILE%\​Local Settings\​Temp 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Environment  TMP  %USERPROFILE%\​Local Settings\​Temp 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Keyboard Layout\​Toggle  Language Hotkey 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Keyboard Layout\​Toggle  Layout Hotkey 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  EnableHttp1_1 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  EnableNegotiate 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  MimeExclusionListForCache  multipart/mixed multipart/x-mixed-replace multipart/x-byteranges  
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  WarnOnPost  0x01000000 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Internet Explorer\​Settings  Anchor Color  0,0,255 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Multimedia\​Audio  SystemFormats  CD Quality,Radio Quality,Telephone Quality 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Winlogon  ParseAutoexec 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  AppData  %USERPROFILE%\​Application Data 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Cache  %USERPROFILE%\​Local Settings\​Temporary Internet Files 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Cookies  %USERPROFILE%\​Cookies 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  History  %USERPROFILE%\​Local Settings\​History 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Local Settings  %USERPROFILE%\​Local Settings 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Personal  %USERPROFILE%\​My Documents 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache  Signature  Client UrlCache MMF Ver 5.2 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Content  CacheLimit  163410 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Content  CachePrefix   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Content  PerUserItem 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Cookies  CacheLimit  8192 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Cookies  CachePrefix  Cookie: 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Cookies  PerUserItem 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​History  CacheLimit  8192 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​History  CachePrefix  Visited: 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​History  PerUserItem 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  MigrateProxy 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  ProxyEnable 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings\​Connections  DefaultConnectionSettings  0x3c0000000200000009000000000000000000000000000000000000000000 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings\​Connections  SavedLegacySettings  0x3c0000000400000009000000000000000000000000000000000000000000 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  APPDATA  C:\​Documents and Settings\​Administrator\​Application Data 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  CLIENTNAME   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  HOMEDRIVE  C: 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  HOMEPATH  \​Documents and Settings\​Administrator 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  HOMESHARE   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  LOGONSERVER  \​\​PC 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  SESSIONNAME  Console 

  - Monitored Registry Keys:  
Key Name Watch subtree Notify Filter Count
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  Attributes Change,Value Change,Security Descriptor Change 

3.b) dwwin.exe - File Activities

  - Files Deleted:  
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\82B4F.dmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\c19b_appcompat.txt

  - Files Created:  
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\82B4F.dmp

  - Files Read:  
C:\SimpleCSSHack.exe
C:\WINDOWS\win.ini
PIPE\lsarpc
c:\autoexec.bat

  - Files Modified:  
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\82B4F.dmpinfo
PIPE\lsarpcinfo

  - File System Control Communication:  
File Control Code Times
C:\WINDOWS\system32  0x00090028 
PIPE\lsarpc  0x0011C017  16 

  - Device Control Communication:  
File Control Code Times
\Device\KsecDD  0x00390008 

  - Memory Mapped Files:  
File Name
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\82B4F.dmp
C:\SimpleCSSHack.exe
C:\WINDOWS\AppPatch\AcGenral.DLL
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\system32\1033\dwintl.dll
C:\WINDOWS\system32\Apphelp.dll
C:\WINDOWS\system32\COMCTL32.DLL
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\MSACM32.dll
C:\WINDOWS\system32\MSCTF.dll
C:\WINDOWS\system32\NETAPI32.dll
C:\WINDOWS\system32\PSAPI.DLL
C:\WINDOWS\system32\RASAPI32.DLL
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\SETUPAPI.dll
C:\WINDOWS\system32\SHELL32.DLL
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\system32\ShimEng.dll
C:\WINDOWS\system32\TAPI32.dll
C:\WINDOWS\system32\URLMON.DLL
C:\WINDOWS\system32\USERENV.dll
C:\WINDOWS\system32\UxTheme.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\system32\WININET.DLL
C:\WINDOWS\system32\WINMM.dll
C:\WINDOWS\system32\WINSTA.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WTSAPI32.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\faultrep.dll
C:\WINDOWS\system32\imm32.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\rasman.dll
C:\WINDOWS\system32\riched20.dll
C:\WINDOWS\system32\rtutils.dll
C:\WINDOWS\system32\sensapi.dll
C:\WINDOWS\system32\shfolder.dll
C:\WINDOWS\system32\user32.dll
C:\Windows\AppPatch\sysmain.sdb

3.c) dwwin.exe - Process Activities

  - Foreign Memory Regions Read:  
Process: C:\SimpleCSSHack.exe

3.d) dwwin.exe - Other Activities

  - Mutexes Created:  
CTF.Asm.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.Compart.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.LBES.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.Layouts.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.TMD.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.TimListCache.FMPDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500MUTEX.DefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
MSCTF.Shared.MUTEX.IM
SHIMLIB_LOG_MUTEX
ZonesCacheCounterMutex
ZonesCounterMutex
ZonesLockedCacheCounterMutex

  - Keyboard Keys Monitored:  
Virtual Key Code Times
VK_MENU (18) 
VK_CONTROL (17) 
VK_SHIFT (16) 
VK_LWIN (91) 
VK_RWIN (92) 

4. drwtsn32.exe

  - General information about this executable  
Analysis Reason: Started by SimpleCSSHack.exe 
Filename: drwtsn32.exe 
MD5: c9f5e1de6da983e89e714ed80c11f000 
SHA-1: 1717b633478fb107d3c26344f710328b93ae550c 
File Size: 45568 Bytes
Command Line: C:\WINDOWS\system32\drwtsn32 -p 1576 -e 180 -g 
Process-status at analysis end: alive 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​dbgeng.dll  0x6D590000  0x000F6000 
C:\​WINDOWS\​system32\​DBGHELP.dll  0x59A60000  0x000A1000 
C:\​WINDOWS\​system32\​VERSION.dll  0x77C00000  0x00008000 
C:\​WINDOWS\​system32\​ShimEng.dll  0x5CB70000  0x00026000 
C:\​WINDOWS\​AppPatch\​AcGenral.DLL  0x6F880000  0x001CA000 
C:\​WINDOWS\​system32\​WINMM.dll  0x76B40000  0x0002D000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 
C:\​WINDOWS\​system32\​OLEAUT32.dll  0x77120000  0x0008B000 
C:\​WINDOWS\​system32\​MSACM32.dll  0x77BE0000  0x00015000 
C:\​WINDOWS\​system32\​SHELL32.dll  0x7C9C0000  0x00817000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​system32\​USERENV.dll  0x769C0000  0x000B4000 
C:\​WINDOWS\​system32\​UxTheme.dll  0x5AD70000  0x00038000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll  0x773D0000  0x00103000 
C:\​WINDOWS\​system32\​comctl32.dll  0x5D090000  0x0009A000 

  - Run-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntsdexts.dll  0x5F170000  0x0000C000 
C:\​WINDOWS\​system32\​exts.dll  0x69480000  0x00022000 

4.a) drwtsn32.exe - Registry Activities

  - Registry Values Modified:  
Key Name New Value
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Common AppData  C:\​Documents and Settings\​All Users\​Application Data 

  - Registry Values Read:  
Key Name Value Times
HKLM\​HARDWARE\​DESCRIPTION\​System\​CentralProcessor\​0  Identifier  x86 Family 6 Model 3 Stepping 3 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion  CurrentBuildNumber  2600 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion  CurrentType  Uniprocessor Free 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion  RegisteredOrganization  TU Wien, Campuslizenz 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion  RegisteredOwner  Ihr Benutzername 
HKLM\​SYSTEM\​CurrentControlSet\​Control\​Session Manager  CriticalSectionTimeout  2592000 
HKLM\​SYSTEM\​CurrentControlSet\​Control\​Windows  CSDVersion  768 
HKLM\​SYSTEM\​Setup  SystemSetupInProgress 
HKLM\​SYSTEM\​WPA\​MediaCenter  Installed 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.iac2  aFormatTagCache  0x01000000100000000204000014000000 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.iac2  cFilterTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.iac2  cFormatTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.iac2  fdwSupport 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.imaadpcm  aFormatTagCache  0x01000000100000001100000014000000 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.imaadpcm  cFilterTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.imaadpcm  cFormatTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.imaadpcm  fdwSupport 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.l3acm  aFormatTagCache  0x0100000010000000550000001e000000 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.l3acm  cFilterTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.l3acm  cFormatTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.l3acm  fdwSupport 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msadpcm  aFormatTagCache  0x01000000100000000200000032000000 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msadpcm  cFilterTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msadpcm  cFormatTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msadpcm  fdwSupport 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msaudio1  aFormatTagCache  0x01000000120000006001000016000000610100001c000000 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msaudio1  cFilterTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msaudio1  cFormatTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msaudio1  fdwSupport 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msg711  aFormatTagCache  0x010000001000000006000000120000000700000012000000 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msg711  cFilterTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msg711  cFormatTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msg711  fdwSupport 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msg723  aFormatTagCache  0x0100000010000000420000001c000000 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msg723  cFilterTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msg723  cFormatTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msg723  fdwSupport 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msgsm610  aFormatTagCache  0x01000000100000003100000014000000 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msgsm610  cFilterTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msgsm610  cFormatTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msgsm610  fdwSupport 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.sl_anet  aFormatTagCache  0x01000000100000003001000016000000 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.sl_anet  cFilterTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.sl_anet  cFormatTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.sl_anet  fdwSupport 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.trspch  aFormatTagCache  0x01000000100000002200000032000000 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.trspch  cFilterTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.trspch  cFormatTags 
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.trspch  fdwSupport 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion  CurrentType  Uniprocessor Free 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  midimapper   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  msacm.iac2  C:\​WINDOWS\​system32\​iac25_32.ax 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  msacm.imaadpcm  imaadp32.acm 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  msacm.l3acm  C:\​WINDOWS\​system32\​l3codeca.acm 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  msacm.msadpcm   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  msacm.msaudio1   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  msacm.msg711   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  msacm.msg723   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  msacm.msgsm610   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  msacm.sl_anet   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  msacm.trspch   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.I420   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.M261   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.M263   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.cvid   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.iv31   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.iv32   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.iv41   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.iv50   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.iyuv   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.mrle   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.msvc   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.uyvy   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.yuy2   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.yvu9   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  vidc.yvyu   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32  wavemapper   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Windows  AppInit_DLLs   
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Common AppData  %ALLUSERSPROFILE%\​Application Data 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 
HKLM\​System\​CurrentControlSet\​Control\​ComputerName\​ActiveComputerName  ComputerName  PC 
HKLM\​System\​CurrentControlSet\​Control\​MediaProperties\​PrivateProperties\​Joystick\​Winmm  wheel 
HKLM\​System\​CurrentControlSet\​Control\​ProductOptions  ProductType  WinNT 
HKLM\​System\​CurrentControlSet\​Control\​Terminal Server  TSAppCompat 
HKLM\​software\​microsoft\​DrWatson  AppendToLogFile 
HKLM\​software\​microsoft\​DrWatson  CrashDumpType 
HKLM\​software\​microsoft\​DrWatson  CreateCrashDump 
HKLM\​software\​microsoft\​DrWatson  DumpAllThreads 
HKLM\​software\​microsoft\​DrWatson  DumpSymbols 
HKLM\​software\​microsoft\​DrWatson  Instructions  10 
HKLM\​software\​microsoft\​DrWatson  MaximumCrashes  10 
HKLM\​software\​microsoft\​DrWatson  SoundNotification 
HKLM\​software\​microsoft\​DrWatson  VisualNotification 
HKLM\​software\​microsoft\​DrWatson  WaveFile   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Multimedia\​Audio  SystemFormats  CD Quality,Radio Quality,Telephone Quality 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Local Settings  %USERPROFILE%\​Local Settings 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Personal  %USERPROFILE%\​My Documents 

4.b) drwtsn32.exe - File Activities

  - Files Created:  
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log

  - Files Read:  
C:\SimpleCSSHack.exe
PIPE\lsarpc

  - Files Modified:  
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.loginfo
PIPE\lsarpcinfo

  - Directories Created:  
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson

  - File System Control Communication:  
File Control Code Times
PIPE\lsarpc  0x0011C017 

  - Device Control Communication:  
File Control Code Times
\Device\KsecDD  0x00390008 

  - Memory Mapped Files:  
File Name
C:\SimpleCSSHack.exe
C:\WINDOWS\AppPatch\AcGenral.DLL
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\system32\DBGHELP.dll
C:\WINDOWS\system32\MSACM32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\ShimEng.dll
C:\WINDOWS\system32\UxTheme.dll
C:\WINDOWS\system32\WINMM.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\dbgeng.dll
C:\WINDOWS\system32\exts.dll
C:\WINDOWS\system32\ntsdexts.dll
C:\Windows\AppPatch\sysmain.sdb

4.c) drwtsn32.exe - Process Activities

  - Remote Threads Created:  
Affected Process
C:\SimpleCSSHack.exe

  - Foreign Memory Regions Read:  
Process: C:\Program Files\Messenger\msmsgs.exe
Process: C:\SimpleCSSHack.exe
Process: C:\WINDOWS\explorer.exe
Process: C:\WINDOWS\system32\alg.exe
Process: C:\WINDOWS\system32\cmd.exe
Process: C:\WINDOWS\system32\csrss.exe
Process: C:\WINDOWS\system32\ctfmon.exe
Process: C:\WINDOWS\system32\drwtsn32.exe
Process: C:\WINDOWS\system32\lsass.exe
Process: C:\WINDOWS\system32\services.exe
Process: C:\WINDOWS\system32\smss.exe
Process: C:\WINDOWS\system32\spoolsv.exe
Process: C:\WINDOWS\system32\svchost.exe
Process: C:\WINDOWS\system32\wbem\wmiprvse.exe
Process: C:\WINDOWS\system32\winlogon.exe
Process: C:\WINDOWS\system32\wscntfy.exe
Process: C:\WINDOWS\system32\wuauclt.exe
Process: C:\jwsk.exeor.exe
Process: C:\sqlk.exeler.exe

  - Foreign Memory Regions Written:  
Process: C:\SimpleCSSHack.exe


International Secure Systems Lab
Vienna University of Technology, Eurecom France, UC Santa Barbara
Contact: anubis@iseclab.org