Analysis Report for 38d68dab3e2f92e2e53d9c1863b62fbf

Comment on this report

Summary:

Description	Risk
Write to foreign memory areas: This executable tampers with the execution of another process.
AV Hit: This executable is detected by an antivirus software.
Packed Binary: This executable is protected with a packer in order to prevent it from being reverse engineered.
Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web.
Execution did not terminate correctly: The executable crashed.
Spawns Processes: The executable produces processes during the execution.
Performs Registry Activities: The executable creates and/or modifies registry entries.

Table of Contents
expand all	collapse all
General information 38d68dab3e.exe C:\38d68dab3e.exe Primary Analysis Subject General Information a) Registry Activities b) File Activities c) Process Activities d) Other Activities dwwin.exe C:\WINDOWS\system32\dwwin.exe Started by 38d68dab3e.exe General Information a) Registry Activities b) File Activities c) Process Activities drwtsn32.exe C:\WINDOWS\system32\drwtsn32.exe Started by 38d68dab3e.exe General Information a) Registry Activities b) File Activities c) Process Activities

1. General Information

	- Information about Anubis' invocation

Time needed:	127 s
Report created:	04/17/11, 14:34:07 UTC
Termination reason:	All tracked processes have exited
Program version:	1.75.3394

2. 38d68dab3e.exe

	- General information about this executable

Analysis Reason:	Primary Analysis Subject
Filename:	38d68dab3e.exe
MD5:	38d68dab3e2f92e2e53d9c1863b62fbf
SHA-1:	4c060fb681f234dd03fe6815e211cf998aece47b
File Size:	1486848 Bytes
Command Line:	"C:\38d68dab3e.exe"
Process-status at analysis end:	dead
Exit Code:	-1073741794

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\comdlg32.dll	0x763B0000	0x00049000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\COMCTL32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\faultrep.dll	0x69450000	0x00016000
C:\WINDOWS\system32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\WTSAPI32.dll	0x76F50000	0x00008000
C:\WINDOWS\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000

	- SigBuster Output

Armadillo v3.78-4.xx SN:712

	- Ikarus Virus Scanner

Trojan.Win32.Rimecud (Sig-Id:56486328)

2.a) 38d68dab3e.exe - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\Setup	OsLoaderPath	\	2
HKLM\SYSTEM\Setup	SystemPartition	\Device\HarddiskVolume1	2
HKLM\SYSTEM\Setup	SystemSetupInProgress	0	1
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	2
HKLM\Software\Microsoft\PCHealth\ErrorReporting	AllOrNone	1	1
HKLM\Software\Microsoft\PCHealth\ErrorReporting	DoReport	1	1
HKLM\Software\Microsoft\PCHealth\ErrorReporting	IncludeKernelFaults	1	1
HKLM\Software\Microsoft\PCHealth\ErrorReporting	IncludeMicrosoftApps	1	1
HKLM\Software\Microsoft\PCHealth\ErrorReporting	IncludeWindowsApps	1	1
HKLM\Software\Microsoft\PCHealth\ErrorReporting	ShowUI	1	1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug	Auto	1	1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug	Debugger	drwtsn32 -p %ld -e %ld -g	1
HKLM\Software\Microsoft\Windows\CurrentVersion	DevicePath	%SystemRoot%\inf	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	DriverCachePath	%SystemRoot%\Driver Cache	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	LogLevel	0	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	ServicePackCachePath	c:\windows\ServicePackFiles\ServicePackCache	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	ServicePackSourcePath	D:\	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	SourcePath	D:\	2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	PC	2
HKLM\System\CurrentControlSet\Control\ProductOptions	ProductType	WinNT	1
HKLM\System\CurrentControlSet\Control\Terminal Server	TSUserEnabled	0	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Domain		1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Hostname	pc	1
HKLM\System\Setup	SystemSetupInProgress	0	2
HKLM\System\WPA\PnP	seed	1274198464	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Local Settings	%USERPROFILE%\Local Settings	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Personal	%USERPROFILE%\My Documents	1

2.b) 38d68dab3e.exe - File Activities

	- Files Created:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6978_appcompat.txt

	- Files Read:

C:\WINDOWS\system32\winsock.dll

PIPE\lsarpc

	- Files Modified:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6978_appcompat.txt

PIPE\lsarpc

	- File System Control Communication:

File	Control Code	Times
C:\Program Files\Common Files\	0x00090028	1
PIPE\lsarpc	0x0011C017	6

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	1

	- Memory Mapped Files:

File Name

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

C:\WINDOWS\WindowsShell.Manifest

C:\WINDOWS\system32\Apphelp.dll

C:\WINDOWS\system32\COMCTL32.dll

C:\WINDOWS\system32\SETUPAPI.dll

C:\WINDOWS\system32\SHELL32.dll

C:\WINDOWS\system32\WINSTA.dll

C:\WINDOWS\system32\WTSAPI32.dll

C:\WINDOWS\system32\advapi32.dll

C:\WINDOWS\system32\apphelp.dll

C:\WINDOWS\system32\drwtsn32.exe

C:\WINDOWS\system32\dwwin.exe

C:\WINDOWS\system32\faultrep.dll

C:\WINDOWS\system32\gdi32.dll

C:\WINDOWS\system32\kernel32.dll

C:\WINDOWS\system32\ntdll.dll

C:\WINDOWS\system32\ole32.dll

C:\WINDOWS\system32\oleaut32.dll

C:\WINDOWS\system32\shell32.dll

C:\WINDOWS\system32\user32.dll

C:\WINDOWS\system32\wininet.dll

C:\WINDOWS\system32\winsock.dll

C:\Windows\AppPatch\sysmain.sdb

2.c) 38d68dab3e.exe - Process Activities

	- Processes Created:

Executable	Command Line
C:\WINDOWS\system32\dwwin.exe
	C:\WINDOWS\system32\dwwin.exe -x -s 168
C:\WINDOWS\system32\drwtsn32.exe
	C:\WINDOWS\system32\drwtsn32 -p 1192 -e 132 -g

	- Remote Threads Created:

Affected Process

C:\WINDOWS\system32\dwwin.exe

C:\WINDOWS\system32\drwtsn32.exe

	- Foreign Memory Regions Read:

Process: C:\WINDOWS\system32\drwtsn32.exe

Process: C:\WINDOWS\system32\dwwin.exe

	- Foreign Memory Regions Written:

Process: C:\WINDOWS\system32\drwtsn32.exe

Process: C:\WINDOWS\system32\dwwin.exe

2.d) 38d68dab3e.exe - Other Activities

	- Windows SEH exceptions:

Description	Times
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x4bb1b3	1
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x4bb888	1
Exception 0xc000001e at 0x4c45c3	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c45c5	1
Exception 0xc000001e at 0x4c451f	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c4521	1
Exception 0xc000001e at 0x4c447d	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c447f	1
Exception 0xc000001e at 0x4c43db	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c43dd	1
Exception 0xc000001e at 0x4c4337	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c4339	1
Exception 0xc000001e at 0x4c4295	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c4297	1
Exception 0xc000001e at 0x4c41f1	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c41f3	1
Exception 0xc000001e at 0x4c414d	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c414f	1
Exception 0xc000001e at 0x4c40ab	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c40ad	1
Exception 0xc000001e at 0x4c4008	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c400a	1
Exception 0xc000001e at 0x4c3f65	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c3f67	1
Exception 0xc000001e at 0x4c3ec2	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c3ec4	1
Exception 0xc000001e at 0x4c3e20	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c3e22	1
Exception 0xc000001e at 0x4c3d7e	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c3d80	1
Exception 0xc000001e at 0x4c3cdc	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c3cde	1
Exception 0xc000001e at 0x4c3c3a	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c3c3c	1
Exception 0xc000001e at 0x4c3b98	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c3b9a	1
Exception 0xc000001e at 0x4c3af6	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c3af8	1
Exception 0xc000001e at 0x4c3a52	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c3a54	1
Exception 0xc000001e at 0x4c39ae	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c39b0	1
Exception 0xc000001e at 0x4c390a	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c390c	1
Exception 0xc000001e at 0x4c3868	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c386a	1
Exception 0xc000001e at 0x4c37c4	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c37c6	1
Exception 0xc000001e at 0x4c3721	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c3723	1
Exception 0xc000001e at 0x4c367d	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c367f	1
Exception 0xc000001e at 0x4c35d9	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c35db	1
Exception 0xc000001e at 0x4c3535	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c3537	1
Exception 0xc000001e at 0x4c3492	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c3494	1
Exception 0xc000001e at 0x4c33f0	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c33f2	1
Exception 0xc000001e at 0x4c334d	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c334f	1
Exception 0xc000001e at 0x4c32ab	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c32ad	1
Exception 0xc000001e at 0x4c3207	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c3209	1
Exception 0xc000001e at 0x4c3165	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c3167	1
Exception 0xc000001e at 0x4c30c2	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c30c4	1
Exception 0xc000001e at 0x4c3020	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c3022	1
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x4bea84	1
Exception 0xc000001e at 0x4c2fa1	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2fa3	1
Exception 0xc000001e at 0x4c2f4a	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2f4c	1
Exception 0xc000001e at 0x4c2ef4	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2ef6	1
Exception 0xc000001e at 0x4c2e9f	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2ea1	1
Exception 0xc000001e at 0x4c2e48	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2e4a	1
Exception 0xc000001e at 0x4c2df3	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2df5	1
Exception 0xc000001e at 0x4c2d9e	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2da0	1
Exception 0xc000001e at 0x4c2d49	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2d4b	1
Exception 0xc000001e at 0x4c2cf3	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2cf5	1
Exception 0xc000001e at 0x4c2c9e	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2ca0	1
Exception 0xc000001e at 0x4c2c47	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2c49	1
Exception 0xc000001e at 0x4c2bf2	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2bf4	1
Exception 0xc000001e at 0x4c2b9c	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2b9e	1
Exception 0xc000001e at 0x4c2b47	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2b49	1
Exception 0xc000001e at 0x4c2af2	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2af4	1
Exception 0xc000001e at 0x4c2a9d	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2a9f	1
Exception 0xc000001e at 0x4c2a47	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2a49	1
Exception 0xc000001e at 0x4c29f1	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c29f3	1
Exception 0xc000001e at 0x4c299c	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c299e	1
Exception 0xc000001e at 0x4c2947	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2949	1
Exception 0xc000001e at 0x4c28f2	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c28f4	1
Exception 0xc000001e at 0x4c289c	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c289e	1
Exception 0xc000001e at 0x4c2845	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2847	1
Exception 0xc000001e at 0x4c27f0	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c27f2	1
Exception 0xc000001e at 0x4c279a	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c279c	1
Exception 0xc000001e at 0x4c2745	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2747	1
Exception 0xc000001e at 0x4c26f0	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c26f2	1
Exception 0xc000001e at 0x4c2699	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c269b	1
Exception 0xc000001e at 0x4c2643	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2645	1
Exception 0xc000001e at 0x4c25ec	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c25ee	1
Exception 0xc000001e at 0x4c2597	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2599	1
Exception 0xc000001e at 0x4c2540	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2542	1
Exception 0xc000001e at 0x4c24eb	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c24ed	1
Exception 0xc000001e at 0x4c2496	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2498	1
Exception 0xc000001e at 0x4c2441	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2443	1
Exception 0xc000001e at 0x4c23ea	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c23ec	1
Exception 0xc000001e at 0x4c2395	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2397	1
Exception 0xc000001e at 0x4c2340	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2342	1
Exception 0xc000001e at 0x4c22e9	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c22eb	1
Exception 0xc000001e at 0x4c2292	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2294	1
Exception 0xc000001e at 0x4c223c	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c223e	1
Exception 0xc000001e at 0x4c21e5	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c21e7	1
Exception 0xc000001e at 0x4c2190	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2192	1
Exception 0xc000001e at 0x4c213b	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c213d	1
Exception 0xc000001e at 0x4c20e6	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c20e8	1
Exception 0xc000001e at 0x4c2091	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c2093	1
Exception 0xc000001e at 0x4c203c	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c203e	1
Exception 0xc000001e at 0x4c1fe5	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c1fe7	1
Exception 0xc000001e at 0x4c1f90	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c1f92	1
Exception 0xc000001e at 0x4c1f3b	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c1f3d	1
Exception 0xc000001e at 0x4c1ee4	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c1ee6	1
Exception 0xc000001e at 0x4c1e8d	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c1e8f	1
Exception 0xc000001e at 0x4c1e36	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c1e38	1
Exception 0xc000001e at 0x4c1de1	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c1de3	1
Exception 0xc000001e at 0x4c1d8b	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c1d8d	1
Exception 0xc000001e at 0x4c1d36	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c1d38	1
Exception 0xc000001e at 0x4c1ce1	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c1ce3	1
Exception 0xc000001e at 0x4c1c8c	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c1c8e	1
Exception 0xc000001e at 0x4c1c35	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c1c37	1
Exception 0xc000001e at 0x4c1bdf	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c1be1	1
Exception 0xc000001e at 0x4c0bb2	1
Exception 0xc000001e at 0x4c0ceb	1
Exception 0xc000001e at 0x462269	1

3. dwwin.exe

	- General information about this executable

Analysis Reason:	Started by 38d68dab3e.exe
Filename:	dwwin.exe
MD5:	86042f6f6a5287eaf9379c91d0bf72b6
SHA-1:	532bf74e6aead7438aa7264d01759a065410ee68
File Size:	180224 Bytes
Command Line:	C:\WINDOWS\system32\dwwin.exe -x -s 168
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.DLL	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\COMCTL32.DLL	0x5D090000	0x0009A000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\OLEAUT32.DLL	0x77120000	0x0008B000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\SHELL32.DLL	0x7C9C0000	0x00817000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\URLMON.DLL	0x7E1E0000	0x000A2000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\WININET.DLL	0x771B0000	0x000AA000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\1033\dwintl.dll	0x314C0000	0x0000C000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\sensapi.dll	0x722B0000	0x00005000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\riched20.dll	0x74E30000	0x0006D000
C:\WINDOWS\system32\imm32.dll	0x76390000	0x0001D000
C:\WINDOWS\system32\shfolder.dll	0x76780000	0x00009000
C:\WINDOWS\system32\PSAPI.DLL	0x76BF0000	0x0000B000
C:\WINDOWS\system32\rtutils.dll	0x76E80000	0x0000E000
C:\WINDOWS\system32\rasman.dll	0x76E90000	0x00012000
C:\WINDOWS\system32\TAPI32.dll	0x76EB0000	0x0002F000
C:\WINDOWS\system32\RASAPI32.DLL	0x76EE0000	0x0003C000

	- Popups

Window Name	Window Text	Screenshot	Number of Displayed Times
R1rv9WytU	&Don't Send R1rv9WytU has encountered a problem and needs to close. We are sorry for the inconvenience. R1rv9WytU has encountered a problem and needs to close. We are sorry for the inconvenience. If you were in the middle of something, the information you were working on might be lost. Please tell Microsoft about this problem. We have created an error report that you can send to us. We will treat this report as confidential and anonymous. To see what data this error report contains, Details &Send Error Report		1

3.a) dwwin.exe - Registry Activities

	- Registry Values Modified:

Key	Name	New Value
HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings	ProxyEnable	0
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Common AppData	C:\Documents and Settings\All Users\Application Data
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths	Directory	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths	Paths	4
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1	CacheLimit	40852
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1	CachePath	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2	CacheLimit	40852
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2	CachePath	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache2
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3	CacheLimit	40852
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3	CachePath	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache3
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4	CacheLimit	40852
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4	CachePath	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	AppData	C:\Documents and Settings\Administrator\Application Data
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cookies	C:\Documents and Settings\Administrator\Cookies
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	History	C:\Documents and Settings\Administrator\Local Settings\History
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Personal	C:\Documents and Settings\Administrator\My Documents
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings	MigrateProxy	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings	ProxyEnable	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	SavedLegacySettings	0x3c0000001600000001000000000000000000000000000000040000000000

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\	CUAS	0	1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	UrlEncoding	0x00000000	2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\SYSTEM\Setup	SystemSetupInProgress	0	1
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	aFormatTagCache	0x01000000100000000204000014000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	aFormatTagCache	0x01000000100000001100000014000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	aFormatTagCache	0x0100000010000000550000001e000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	aFormatTagCache	0x01000000100000000200000032000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	aFormatTagCache	0x01000000120000006001000016000000610100001c000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFormatTags	3	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	aFormatTagCache	0x010000001000000006000000120000000700000012000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFormatTags	3	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	aFormatTagCache	0x0100000010000000420000001c000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	aFormatTagCache	0x01000000100000003100000014000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	aFormatTagCache	0x01000000100000003001000016000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	aFormatTagCache	0x01000000100000002200000032000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	fdwSupport	1	1
HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS	*	1	1
HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL	*	1	1
HKLM\Software\Microsoft\Tracing	EnableConsoleTracing	0	1
HKLM\Software\Microsoft\Tracing\RASAPI32	ConsoleTracingMask	4294901760	2
HKLM\Software\Microsoft\Tracing\RASAPI32	EnableConsoleTracing	0	2
HKLM\Software\Microsoft\Tracing\RASAPI32	EnableFileTracing	0	2
HKLM\Software\Microsoft\Tracing\RASAPI32	FileDirectory	%windir%\tracing	4
HKLM\Software\Microsoft\Tracing\RASAPI32	FileTracingMask	4294901760	2
HKLM\Software\Microsoft\Tracing\RASAPI32	MaxFileSize	1048576	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion	DigitalProductId	0xa40000000300000037363438372d3634302d313435373233362d32333833	1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug	Debugger	drwtsn32 -p %ld -e %ld -g	4
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	midimapper		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.iac2		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.imaadpcm	imaadp32.acm	3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.l3acm		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msadpcm		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msaudio1		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg711		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg723		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msgsm610		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.sl_anet		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.trspch		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.I420		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.M261		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.M263		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.cvid		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv31		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv32		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv41		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv50		1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iyuv		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.mrle		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.msvc		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.uyvy		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.yuy2		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.yvu9		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.yvyu		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	wavemapper		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	AllUsersProfile	All Users	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	DefaultUserProfile	Default User	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	ProfilesDirectory	%SystemDrive%\Documents and Settings	4
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-842925246-1425521274-308236825-500	ProfileImagePath	%SystemDrive%\Documents and Settings\Administrator	2
HKLM\Software\Microsoft\Windows\CurrentVersion	CommonFilesDir	C:\Program Files\Common Files	3
HKLM\Software\Microsoft\Windows\CurrentVersion	ProgramFilesDir	C:\Program Files	3
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Common AppData	%ALLUSERSPROFILE%\Application Data	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	PC	5
HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	wheel	1	1
HKLM\System\CurrentControlSet\Control\ProductOptions	ProductType	WinNT	1
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	ComSpec	%SystemRoot%\system32\cmd.exe	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	FP_NO_HOST_CHECK	NO	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	NUMBER_OF_PROCESSORS	1	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	OS	Windows_NT	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_ARCHITECTURE	x86	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_IDENTIFIER	x86 Family 6 Model 3 Stepping 3, GenuineIntel	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_LEVEL	6	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_REVISION	0303	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	Path	%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	TEMP	%SystemRoot%\TEMP	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	TMP	%SystemRoot%\TEMP	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	windir	%SystemRoot%	4
HKLM\System\CurrentControlSet\Control\Terminal Server	TSUserEnabled	0	1
HKLM\System\Setup	SystemSetupInProgress	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Environment	TEMP	%USERPROFILE%\Local Settings\Temp	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Environment	TMP	%USERPROFILE%\Local Settings\Temp	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle	Language Hotkey	1	6
HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle	Layout Hotkey	2	6
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EnableHttp1_1	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EnableNegotiate	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	MimeExclusionListForCache	multipart/mixed multipart/x-mixed-replace multipart/x-byteranges	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WarnOnPost	0x01000000	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Explorer\Settings	Anchor Color	0,0,255	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Multimedia\Audio	SystemFormats	CD Quality,Radio Quality,Telephone Quality	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows NT\CurrentVersion\Winlogon	ParseAutoexec	1	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	AppData	%USERPROFILE%\Application Data	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Cache	%USERPROFILE%\Local Settings\Temporary Internet Files	3
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Cookies	%USERPROFILE%\Cookies	3
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	History	%USERPROFILE%\Local Settings\History	3
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Local Settings	%USERPROFILE%\Local Settings	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Personal	%USERPROFILE%\My Documents	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache	Signature	Client UrlCache MMF Ver 5.2	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	CacheLimit	163410	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	CachePrefix		2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	PerUserItem	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	CacheLimit	8192	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	CachePrefix	Cookie:	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	PerUserItem	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218	CacheLimit	8192	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218	CacheOptions	11	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218	CachePath	%USERPROFILE%\Local Settings\History\History.IE5\MSHist012011021720110218\	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218	CachePrefix	:2011021720110218:	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218	CacheRepair	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219	CacheLimit	8192	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219	CacheOptions	11	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219	CachePath	%USERPROFILE%\Local Settings\History\History.IE5\MSHist012011021820110219\	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219	CachePrefix	:2011021820110219:	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219	CacheRepair	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	CacheLimit	8192	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	CachePrefix	Visited:	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	PerUserItem	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings	MigrateProxy	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings	ProxyEnable	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	DefaultConnectionSettings	0x3c0000000300000001000000000000000000000000000000040000000000	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	SavedLegacySettings	0x3c0000001500000001000000000000000000000000000000040000000000	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	APPDATA	C:\Documents and Settings\Administrator\Application Data	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	CLIENTNAME	Console	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	HOMEDRIVE	C:	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	HOMEPATH	\Documents and Settings\Administrator	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	HOMESHARE		4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	LOGONSERVER	\\PC	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	SESSIONNAME	Console	4

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\Software\Microsoft\Tracing\RASAPI32	0	Attributes Change,Value Change,Security Descriptor Change	2

3.b) dwwin.exe - File Activities

	- Files Deleted:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\69618.dmp

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6978_appcompat.txt

	- Files Created:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\69618.dmp

	- Files Read:

C:\38d68dab3e.exe

C:\WINDOWS\win.ini

PIPE\lsarpc

c:\autoexec.bat

	- Files Modified:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\69618.dmp

PIPE\lsarpc

	- File System Control Communication:

File	Control Code	Times
C:\WINDOWS\system32	0x00090028	1
PIPE\lsarpc	0x0011C017	16

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	8

	- Memory Mapped Files:

File Name

C:\38d68dab3e.exe

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\69618.dmp

C:\WINDOWS\AppPatch\AcGenral.DLL

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

C:\WINDOWS\WindowsShell.Manifest

C:\WINDOWS\system32\1033\dwintl.dll

C:\WINDOWS\system32\ADVAPI32.dll

C:\WINDOWS\system32\Apphelp.dll

C:\WINDOWS\system32\COMCTL32.DLL

C:\WINDOWS\system32\COMCTL32.dll

C:\WINDOWS\system32\GDI32.dll

C:\WINDOWS\system32\MSACM32.dll

C:\WINDOWS\system32\MSCTF.dll

C:\WINDOWS\system32\NETAPI32.dll

C:\WINDOWS\system32\PSAPI.DLL

C:\WINDOWS\system32\RASAPI32.DLL

C:\WINDOWS\system32\RPCRT4.dll

C:\WINDOWS\system32\SETUPAPI.dll

C:\WINDOWS\system32\SHELL32.DLL

C:\WINDOWS\system32\SHELL32.dll

C:\WINDOWS\system32\SHLWAPI.dll

C:\WINDOWS\system32\Secur32.dll

C:\WINDOWS\system32\ShimEng.dll

C:\WINDOWS\system32\TAPI32.dll

C:\WINDOWS\system32\URLMON.DLL

C:\WINDOWS\system32\USER32.dll

C:\WINDOWS\system32\USERENV.dll

C:\WINDOWS\system32\UxTheme.dll

C:\WINDOWS\system32\VERSION.dll

C:\WINDOWS\system32\WININET.DLL

C:\WINDOWS\system32\WINMM.dll

C:\WINDOWS\system32\WINSTA.dll

C:\WINDOWS\system32\WS2HELP.dll

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\WTSAPI32.dll

C:\WINDOWS\system32\comdlg32.dll

C:\WINDOWS\system32\faultrep.dll

C:\WINDOWS\system32\imm32.dll

C:\WINDOWS\system32\kernel32.dll

C:\WINDOWS\system32\msvcrt.dll

C:\WINDOWS\system32\ntdll.dll

C:\WINDOWS\system32\rasman.dll

C:\WINDOWS\system32\riched20.dll

C:\WINDOWS\system32\rtutils.dll

C:\WINDOWS\system32\sensapi.dll

C:\WINDOWS\system32\shfolder.dll

C:\Windows\AppPatch\sysmain.sdb

3.c) dwwin.exe - Process Activities

	- Foreign Memory Regions Read:

Process: C:\38d68dab3e.exe

4. drwtsn32.exe

	- General information about this executable

Analysis Reason:	Started by 38d68dab3e.exe
Filename:	drwtsn32.exe
MD5:	c9f5e1de6da983e89e714ed80c11f000
SHA-1:	1717b633478fb107d3c26344f710328b93ae550c
File Size:	45568 Bytes
Command Line:	C:\WINDOWS\system32\drwtsn32 -p 1192 -e 132 -g
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\dbgeng.dll	0x6D590000	0x000F6000
C:\WINDOWS\system32\DBGHELP.dll	0x59A60000	0x000A1000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntsdexts.dll	0x5F170000	0x0000C000
C:\WINDOWS\system32\exts.dll	0x69480000	0x00022000
C:\WINDOWS\system32\psapi.dll	0x76BF0000	0x0000B000

4.a) drwtsn32.exe - Registry Activities

	- Registry Values Modified:

Key	Name	New Value
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Common AppData	C:\Documents and Settings\All Users\Application Data
HKLM\software\microsoft\DrWatson	NumberOfCrashes	1

	- Registry Values Read:

Key	Name	Value	Times
HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Identifier	x86 Family 6 Model 3 Stepping 3	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion	CurrentBuildNumber	2600	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion	CurrentType	Uniprocessor Free	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion	RegisteredOrganization	TU Wien, Campuslizenz	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion	RegisteredOwner	Ihr Benutzername	1
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\SYSTEM\CurrentControlSet\Control\Windows	CSDVersion	768	1
HKLM\SYSTEM\Setup	SystemSetupInProgress	0	1
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	aFormatTagCache	0x01000000100000000204000014000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	aFormatTagCache	0x01000000100000001100000014000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	aFormatTagCache	0x0100000010000000550000001e000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	aFormatTagCache	0x01000000100000000200000032000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	aFormatTagCache	0x01000000120000006001000016000000610100001c000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFormatTags	3	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	aFormatTagCache	0x010000001000000006000000120000000700000012000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFormatTags	3	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	aFormatTagCache	0x0100000010000000420000001c000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	aFormatTagCache	0x01000000100000003100000014000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	aFormatTagCache	0x01000000100000003001000016000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	aFormatTagCache	0x01000000100000002200000032000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	fdwSupport	1	1
HKLM\Software\Microsoft\Windows NT\CurrentVersion	CurrentType	Uniprocessor Free	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	midimapper		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.iac2		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.imaadpcm		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.l3acm		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msadpcm		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msaudio1		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg711		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg723	msg723.acm	3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msgsm610		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.sl_anet		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.trspch	tssoft32.acm	3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.I420		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.M261		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.M263		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.cvid		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv31		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv32		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv41		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv50		1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iyuv		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.mrle		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.msvc		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.uyvy		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.yuy2		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.yvu9		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.yvyu		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	wavemapper		2
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Common AppData	%ALLUSERSPROFILE%\Application Data	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	PC	4
HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	wheel	1	1
HKLM\System\CurrentControlSet\Control\ProductOptions	ProductType	WinNT	1
HKLM\software\microsoft\DrWatson	AppendToLogFile	1	1
HKLM\software\microsoft\DrWatson	CrashDumpType	1	1
HKLM\software\microsoft\DrWatson	CreateCrashDump	1	1
HKLM\software\microsoft\DrWatson	DumpAllThreads	1	1
HKLM\software\microsoft\DrWatson	DumpSymbols	0	1
HKLM\software\microsoft\DrWatson	Instructions	10	1
HKLM\software\microsoft\DrWatson	MaximumCrashes	10	1
HKLM\software\microsoft\DrWatson	NumberOfCrashes	0	2
HKLM\software\microsoft\DrWatson	SoundNotification	0	1
HKLM\software\microsoft\DrWatson	VisualNotification	0	1
HKLM\software\microsoft\DrWatson	WaveFile		1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Multimedia\Audio	SystemFormats	CD Quality,Radio Quality,Telephone Quality	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Local Settings	%USERPROFILE%\Local Settings	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Personal	%USERPROFILE%\My Documents	1

4.b) drwtsn32.exe - File Activities

	- Files Created:

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp

	- Files Read:

C:\38d68dab3e.exe

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log

PIPE\lsarpc

	- Files Modified:

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp

PIPE\lsarpc

	- Directories Created:

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	3

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	8

	- Memory Mapped Files:

File Name

C:\38d68dab3e.exe

C:\WINDOWS\AppPatch\AcGenral.DLL

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

C:\WINDOWS\WindowsShell.Manifest

C:\WINDOWS\system32\ADVAPI32.dll

C:\WINDOWS\system32\Apphelp.dll

C:\WINDOWS\system32\COMCTL32.dll

C:\WINDOWS\system32\DBGHELP.dll

C:\WINDOWS\system32\GDI32.dll

C:\WINDOWS\system32\MSACM32.dll

C:\WINDOWS\system32\RPCRT4.dll

C:\WINDOWS\system32\SHELL32.dll

C:\WINDOWS\system32\SHLWAPI.dll

C:\WINDOWS\system32\Secur32.dll

C:\WINDOWS\system32\ShimEng.dll

C:\WINDOWS\system32\USER32.dll

C:\WINDOWS\system32\UxTheme.dll

C:\WINDOWS\system32\VERSION.dll

C:\WINDOWS\system32\WINMM.dll

C:\WINDOWS\system32\comctl32.dll

C:\WINDOWS\system32\comdlg32.dll

C:\WINDOWS\system32\dbgeng.dll

C:\WINDOWS\system32\exts.dll

C:\WINDOWS\system32\kernel32.dll

C:\WINDOWS\system32\msvcrt.dll

C:\WINDOWS\system32\ntdll.dll

C:\WINDOWS\system32\ntsdexts.dll

C:\WINDOWS\system32\psapi.dll

C:\Windows\AppPatch\sysmain.sdb

4.c) drwtsn32.exe - Process Activities

	- Processes Killed:

C:\38d68dab3e.exe

	- Remote Threads Created:

Affected Process

C:\38d68dab3e.exe

	- Foreign Memory Regions Read:

Process: C:\38d68dab3e.exe

Process: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

Process: C:\Program Files\Common Files\drlwszvxbeo.exe

Process: C:\Program Files\Common Files\kxuckd.exe

Process: C:\Program Files\Messenger\msmsgs.exe

Process: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Process: C:\WINDOWS\explorer.exe

Process: C:\WINDOWS\system32\alg.exe

Process: C:\WINDOWS\system32\csrss.exe

Process: C:\WINDOWS\system32\ctfmon.exe

Process: C:\WINDOWS\system32\drwtsn32.exe

Process: C:\WINDOWS\system32\lsass.exe

Process: C:\WINDOWS\system32\services.exe

Process: C:\WINDOWS\system32\smss.exe

Process: C:\WINDOWS\system32\spoolsv.exe

Process: C:\WINDOWS\system32\svchost.exe

Process: C:\WINDOWS\system32\winlogon.exe

Process: C:\WINDOWS\system32\wscntfy.exe

Process: C:\WINDOWS\system32\wuauclt.exe

	- Foreign Memory Regions Written:

Process: C:\38d68dab3e.exe

Analysis Report for 38d68dab3e2f92e2e53d9c1863b62fbf

Summary:

Table of Contents