___ __ _ + /- / | ____ __ __/ /_ (_)____ -\ + /s h- / /| | / __ \/ / / / __ \/ / ___/ -h s\ oh-:d/ / ___ |/ / / / /_/ / /_/ / (__ ) /d:-ho shh+hy- /_/ |_/_/ /_/\__,_/_.___/_/____/ -yh+hhs -:+hhdhyys/- -\syyhdhh+:- -//////dhhhhhddhhyss- Analysis Report -ssyhhddhhhhhd\\\\\\- /++/////oydddddhhyys/ ooooooooooooooooooooo \syyhhdddddyo\\\\\++\ -+++///////odh/- -+hdo\\\\\\\+++- +++++++++//yy+/: :\+yy\\+++++++++ /+soss+sys//yyo/os++o+: :+o++so\oyy\\sys+ssos+\ +oyyyys++o/+yss/+/oyyyy: :yyyyo\+\ssy+\o++syyyyo+ +oyyyyyyso+os/o/+yyyyyy/ \yyyyyy+\o\so+osyyyyyyo+ [#############################################################################] Analysis Report for 1b18b0f15960b38023d8c8a7cfd72e5d MD5: 1b18b0f15960b38023d8c8a7cfd72e5d [#############################################################################] Summary: - Write to foreign memory areas: This executable tampers with the execution of another process. - Performs Registry Activities: The executable creates and/or modifies registry entries. [=============================================================================] Table of Contents [=============================================================================] - General information - 1b18b0f159.exe a) Registry Activities b) File Activities c) Process Activities - Explorer.EXE a) Registry Activities b) Other Activities [#############################################################################] 1. General Information [#############################################################################] [=============================================================================] Information about Anubis' invocation [=============================================================================] Time needed: 251 s Report created: 10/13/11, 18:36:59 UTC Termination reason: Timeout Program version: 1.75.3394 [=============================================================================] Popups [=============================================================================] Process: explorer.exe Window Name: Displayed Times: 1 Window Text: Start 15:30 Notification Area TF_FloatingLangBar_WndTitle Running Applications Running Applications Quick Launch [#############################################################################] 2. 1b18b0f159.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Primary Analysis Subject Filename: 1b18b0f159.exe MD5: 1b18b0f15960b38023d8c8a7cfd72e5d SHA-1: 739f137315fec99e16a99af61a9ac00e88ea1643 File Size: 130960 Bytes Command Line: "C:\1b18b0f159.exe" Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\OPENGL32.dll ], Base Address: [0x5ED00000 ], Size: [0x000CC000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GLU32.dll ], Base Address: [0x68B20000 ], Size: [0x00020000 ] Module Name: [ C:\WINDOWS\system32\DDRAW.dll ], Base Address: [0x73760000 ], Size: [0x0004B000 ] Module Name: [ C:\WINDOWS\system32\DCIMAN32.dll ], Base Address: [0x73BC0000 ], Size: [0x00006000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\COMCTL32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\urlmon.dll ], Base Address: [0x7E1E0000 ], Size: [0x000A2000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] [=============================================================================] 2.a) 1b18b0f159.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\Software\Microsoft\DirectDraw\MostRecentApplication ], Value Name: [ ID ], New Value: [ 1318012221 ] Key: [ HKLM\Software\Microsoft\DirectDraw\MostRecentApplication ], Value Name: [ Name ], New Value: [ 1b18b0f159.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\Bug! ], Value Name: [ Flags ], Value: [ 0x01000000 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\Bug! ], Value Name: [ ID ], Value: [ 0x3d620932 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\Bug! ], Value Name: [ Name ], Value: [ BUG!.EXE ], 2 times Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\DemolitionDerby2 ], Value Name: [ Flags ], Value: [ 0x01000000 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\DemolitionDerby2 ], Value Name: [ ID ], Value: [ 0x44838832 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\DemolitionDerby2 ], Value Name: [ Name ], Value: [ DD2.EXE ], 2 times Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\MortalKombat3 ], Value Name: [ Flags ], Value: [ 0x01000000 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\MortalKombat3 ], Value Name: [ ID ], Value: [ 0xfc6de731 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\MortalKombat3 ], Value Name: [ Name ], Value: [ MK3W.EXE ], 2 times Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\MsGolf98 ], Value Name: [ Flags ], Value: [ 0x20000000 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\MsGolf98 ], Value Name: [ ID ], Value: [ 0x0dea1a35 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\MsGolf98 ], Value Name: [ Name ], Value: [ game.exe ], 2 times Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\NHLPowerPlay ], Value Name: [ Flags ], Value: [ 0x01000000 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\NHLPowerPlay ], Value Name: [ ID ], Value: [ 0xff3fbf31 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\NHLPowerPlay ], Value Name: [ Name ], Value: [ PP96.EXE ], 2 times Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\NortonSystemInfo ], Value Name: [ Flags ], Value: [ 0x04000000 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\NortonSystemInfo ], Value Name: [ ID ], Value: [ 0x29ea6332 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\NortonSystemInfo ], Value Name: [ Name ], Value: [ SI32.EXE ], 2 times Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\Rogue Squadron ], Value Name: [ Flags ], Value: [ 0x40000000 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\Rogue Squadron ], Value Name: [ ID ], Value: [ 0xd1d74c36 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\Rogue Squadron ], Value Name: [ Name ], Value: [ ROGUE SQUADRON.EXE ], 2 times Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\Savage ], Value Name: [ Flags ], Value: [ 0x01000000 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\Savage ], Value Name: [ ID ], Value: [ 0x00876531 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\Savage ], Value Name: [ Name ], Value: [ SAVAGE32.EXE ], 2 times Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\ScorchedPlanet ], Value Name: [ Flags ], Value: [ 0x02000000 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\ScorchedPlanet ], Value Name: [ ID ], Value: [ 0x69044c32 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\ScorchedPlanet ], Value Name: [ Name ], Value: [ SPLANETW.EXE ], 2 times Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\SilentThunder ], Value Name: [ Flags ], Value: [ 0x01000000 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\SilentThunder ], Value Name: [ ID ], Value: [ ] 5V ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\SilentThunder ], Value Name: [ Name ], Value: [ A10SIM.EXE ], 2 times Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\Terracide ], Value Name: [ Flags ], Value: [ 0x04000000 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\Terracide ], Value Name: [ ID ], Value: [ 0x66cb9533 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\Terracide ], Value Name: [ Name ], Value: [ TERAWIN.EXE ], 2 times Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\ThirdDimension ], Value Name: [ Flags ], Value: [ 0x04000000 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\ThirdDimension ], Value Name: [ ID ], Value: [ 0xbf817f32 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\ThirdDimension ], Value Name: [ Name ], Value: [ t3rd.EXE ], 2 times Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\ZiffDavisQualityBenchmark ], Value Name: [ Flags ], Value: [ 0x04000000 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\ZiffDavisQualityBenchmark ], Value Name: [ ID ], Value: [ m[M3 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\ZiffDavisQualityBenchmark ], Value Name: [ Name ], Value: [ BEND3DIM.EXE ], 2 times Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\ZiffDavisWinMarkBenchmark ], Value Name: [ Flags ], Value: [ 0x04000000 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\ZiffDavisWinMarkBenchmark ], Value Name: [ ID ], Value: [ 0x46fc4b33 ], 1 time Key: [ HKLM\Software\Microsoft\DirectDraw\Compatibility\ZiffDavisWinMarkBenchmark ], Value Name: [ Name ], Value: [ WBD3D.EXE ], 2 times Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS ], Value Name: [ * ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL ], Value Name: [ * ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], Value Name: [ ComputerName ], Value: [ PC ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time [=============================================================================] 2.b) 1b18b0f159.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\Recycle.Bin\ ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\1b18b0f159.exe ] File Name: [ C:\WINDOWS\system32\ntdll.dll ] File Name: [ C:\WINDOWS\win.ini ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Directories Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Directory: [ C:\Recycle.Bin\ ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ] File Name: [ C:\WINDOWS\WindowsShell.Manifest ] File Name: [ C:\WINDOWS\system32\COMCTL32.dll ] File Name: [ C:\WINDOWS\system32\DCIMAN32.dll ] File Name: [ C:\WINDOWS\system32\DDRAW.dll ] File Name: [ C:\WINDOWS\system32\GLU32.dll ] File Name: [ C:\WINDOWS\system32\OPENGL32.dll ] File Name: [ C:\WINDOWS\system32\ntdll.dll ] File Name: [ C:\WINDOWS\system32\urlmon.dll ] File Name: [ \systemroot\system32\kernel32.dll ] [=============================================================================] 2.c) 1b18b0f159.exe - Process Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Written: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\WINDOWS\explorer.exe ] [#############################################################################] 3. Explorer.EXE [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: 1b18b0f159.exe wrote to the virtual memory of this process Filename: Explorer.EXE MD5: 12896823fb95bfb3dc9b46bcaedc9923 SHA-1: 9d2bf84874abc5b6e9a2744b7865c193c08d362f File Size: 1033728 Bytes Command Line: C:\WINDOWS\Explorer.EXE Process-status at analysis end: dead Exit Code: -1073741794 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\BROWSEUI.dll ], Base Address: [0x75F80000 ], Size: [0x000FD000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\SHDOCVW.dll ], Base Address: [0x7E290000 ], Size: [0x00171000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\CRYPTUI.dll ], Base Address: [0x754D0000 ], Size: [0x00080000 ] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] Module Name: [ C:\WINDOWS\system32\WINTRUST.dll ], Base Address: [0x76C30000 ], Size: [0x0002E000 ] Module Name: [ C:\WINDOWS\system32\IMAGEHLP.dll ], Base Address: [0x76C90000 ], Size: [0x00028000 ] Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ], Base Address: [0x76F60000 ], Size: [0x0002C000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\UxTheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ], Base Address: [0x6F880000 ], Size: [0x001CA000 ] Module Name: [ C:\WINDOWS\system32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\MSACM32.dll ], Base Address: [0x77BE0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\appHelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ], Base Address: [0x76FD0000 ], Size: [0x0007F000 ] Module Name: [ C:\WINDOWS\system32\COMRes.dll ], Base Address: [0x77050000 ], Size: [0x000C5000 ] Module Name: [ C:\WINDOWS\System32\cscui.dll ], Base Address: [0x77A20000 ], Size: [0x00054000 ] Module Name: [ C:\WINDOWS\System32\CSCDLL.dll ], Base Address: [0x76600000 ], Size: [0x0001D000 ] Module Name: [ C:\WINDOWS\system32\themeui.dll ], Base Address: [0x5BA60000 ], Size: [0x00071000 ] Module Name: [ C:\WINDOWS\system32\MSIMG32.dll ], Base Address: [0x76380000 ], Size: [0x00005000 ] Module Name: [ C:\WINDOWS\system32\xpsp2res.dll ], Base Address: [0x00AC0000 ], Size: [0x002C5000 ] Module Name: [ C:\WINDOWS\system32\actxprxy.dll ], Base Address: [0x71D40000 ], Size: [0x0001B000 ] Module Name: [ C:\WINDOWS\system32\msutb.dll ], Base Address: [0x5FC10000 ], Size: [0x00033000 ] Module Name: [ C:\WINDOWS\system32\MSCTF.dll ], Base Address: [0x74720000 ], Size: [0x0004C000 ] Module Name: [ C:\WINDOWS\system32\urlmon.dll ], Base Address: [0x7E1E0000 ], Size: [0x000A2000 ] Module Name: [ C:\WINDOWS\system32\LINKINFO.dll ], Base Address: [0x76980000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\ntshrui.dll ], Base Address: [0x76990000 ], Size: [0x00025000 ] Module Name: [ C:\WINDOWS\system32\ATL.DLL ], Base Address: [0x76B20000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\rsaenh.dll ], Base Address: [0x68000000 ], Size: [0x00036000 ] Module Name: [ C:\WINDOWS\system32\msi.dll ], Base Address: [0x7D1E0000 ], Size: [0x002BC000 ] Module Name: [ C:\WINDOWS\system32\WINSTA.dll ], Base Address: [0x76360000 ], Size: [0x00010000 ] Module Name: [ C:\WINDOWS\system32\webcheck.dll ], Base Address: [0x74B30000 ], Size: [0x00046000 ] Module Name: [ C:\WINDOWS\system32\WSOCK32.dll ], Base Address: [0x71AD0000 ], Size: [0x00009000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\stobject.dll ], Base Address: [0x76280000 ], Size: [0x00021000 ] Module Name: [ C:\WINDOWS\system32\BatMeter.dll ], Base Address: [0x74AF0000 ], Size: [0x0000A000 ] Module Name: [ C:\WINDOWS\system32\POWRPROF.dll ], Base Address: [0x74AD0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\SETUPAPI.dll ], Base Address: [0x77920000 ], Size: [0x000F3000 ] Module Name: [ C:\WINDOWS\system32\WTSAPI32.dll ], Base Address: [0x76F50000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\NETSHELL.dll ], Base Address: [0x76400000 ], Size: [0x001A5000 ] Module Name: [ C:\WINDOWS\system32\credui.dll ], Base Address: [0x76C00000 ], Size: [0x0002E000 ] Module Name: [ C:\WINDOWS\system32\dot3api.dll ], Base Address: [0x478C0000 ], Size: [0x0000A000 ] Module Name: [ C:\WINDOWS\system32\rtutils.dll ], Base Address: [0x76E80000 ], Size: [0x0000E000 ] Module Name: [ C:\WINDOWS\system32\dot3dlg.dll ], Base Address: [0x736D0000 ], Size: [0x00006000 ] Module Name: [ C:\WINDOWS\system32\OneX.DLL ], Base Address: [0x5DCA0000 ], Size: [0x00028000 ] Module Name: [ C:\WINDOWS\system32\eappcfg.dll ], Base Address: [0x745B0000 ], Size: [0x00022000 ] Module Name: [ C:\WINDOWS\system32\MSVCP60.dll ], Base Address: [0x76080000 ], Size: [0x00065000 ] Module Name: [ C:\WINDOWS\system32\eappprxy.dll ], Base Address: [0x5DCD0000 ], Size: [0x0000E000 ] Module Name: [ C:\WINDOWS\system32\iphlpapi.dll ], Base Address: [0x76D60000 ], Size: [0x00019000 ] Module Name: [ C:\WINDOWS\system32\MPR.dll ], Base Address: [0x71B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\System32\drprov.dll ], Base Address: [0x75F60000 ], Size: [0x00007000 ] Module Name: [ C:\WINDOWS\System32\ntlanman.dll ], Base Address: [0x71C10000 ], Size: [0x0000E000 ] Module Name: [ C:\WINDOWS\System32\NETUI0.dll ], Base Address: [0x71CD0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\System32\NETUI1.dll ], Base Address: [0x71C90000 ], Size: [0x00040000 ] Module Name: [ C:\WINDOWS\System32\NETRAP.dll ], Base Address: [0x71C80000 ], Size: [0x00007000 ] Module Name: [ C:\WINDOWS\System32\SAMLIB.dll ], Base Address: [0x71BF0000 ], Size: [0x00013000 ] Module Name: [ C:\WINDOWS\System32\davclnt.dll ], Base Address: [0x75F70000 ], Size: [0x0000A000 ] Module Name: [ C:\WINDOWS\system32\comdlg32.dll ], Base Address: [0x763B0000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\MSGINA.dll ], Base Address: [0x75970000 ], Size: [0x000F8000 ] Module Name: [ C:\WINDOWS\system32\ODBC32.dll ], Base Address: [0x74320000 ], Size: [0x0003D000 ] Module Name: [ C:\WINDOWS\system32\odbcint.dll ], Base Address: [0x01350000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\browselc.dll ], Base Address: [0x71600000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\shdoclc.dll ], Base Address: [0x71800000 ], Size: [0x00088000 ] [=============================================================================] 3.a) Explorer.EXE - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ], Value Name: [ Auto ], Value: [ 1 ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ], Value Name: [ Debugger ], Value: [ drwtsn32 -p %ld -e %ld -g ], 2 times [=============================================================================] 3.b) Explorer.EXE - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutexes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutex: [ zXeRY3a_PtW|00000000 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Keyboard Keys Monitored: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Virtual Key Code: [ VK_LBUTTON (1) ], 4 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Windows SEH exceptions: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Description: [ Exception 0xc000001e at 0x1880368 ], 3 times [#############################################################################] International Secure Systems Lab http://www.iseclab.org Vienna University of Technology Eurecom France UC Santa Barbara http://www.tuwien.ac.at http://www.eurecom.fr http://www.cs.ucsb.edu Contact: anubis@iseclab.org