Analysis Report for 32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a462047d781

Comment on this report

Summary:

Description	Risk
Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web.
Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary.
Spawns Processes: The executable produces processes during the execution.
Performs Registry Activities: The executable reads and modifies registry values. It may also create and monitor registry keys.

Table of Contents
expand all	collapse all
General information 32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a462047d781 C:\32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a462047d781 Primary Analysis Subject General Information a) Registry Activities b) File Activities c) Process Activities d) Other Activities dwwin.exe C:\WINDOWS\system32\dwwin.exe Started by 32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a462047d781 General Information a) Registry Activities b) File Activities c) Process Activities d) Other Activities drwtsn32.exe C:\WINDOWS\system32\drwtsn32.exe Started by 32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a462047d781 General Information a) Registry Activities b) File Activities c) Process Activities

1. General Information

	- Information about Anubis' invocation

Time needed:	241 s
Report created:	08/29/09, 21:27:26 UTC
Termination reason:	Timeout
Program version:	1.71.0

2. 32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a462047d781

	- General information about this executable

Analysis Reason:	Primary Analysis Subject
Filename:	32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a462047d781
MD5:	dd16440ab3ecd625d3ad3a959701554f
SHA-1:	370439eb68779c5de5598e7415640fb87355aa83
File Size:	147456 Bytes
Command Line:	"C:\32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a462047d781"
Process-status at analysis end:	dead
Exit Code:	-1073741819

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a462047d781	0x00400000	0x00024000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\MFC42.DLL	0x73DD0000	0x000FE000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\WININET.dll	0x771B0000	0x000AA000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\faultrep.dll	0x69450000	0x00016000
C:\WINDOWS\system32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\WTSAPI32.dll	0x76F50000	0x00008000
C:\WINDOWS\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000

	- Ikarus Virus Scanner

Trojan.Generic.IS (Sig-Id:32217521)

2.a) 32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a462047d781 - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\SYSTEM\Setup	OsLoaderPath	\	2
HKLM\SYSTEM\Setup	SystemPartition	\Device\HarddiskVolume1	2
HKLM\SYSTEM\Setup	SystemSetupInProgress	0	1
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	2
HKLM\Software\Microsoft\PCHealth\ErrorReporting	AllOrNone	1	1
HKLM\Software\Microsoft\PCHealth\ErrorReporting	DoReport	1	1
HKLM\Software\Microsoft\PCHealth\ErrorReporting	IncludeKernelFaults	1	1
HKLM\Software\Microsoft\PCHealth\ErrorReporting	IncludeMicrosoftApps	1	1
HKLM\Software\Microsoft\PCHealth\ErrorReporting	IncludeWindowsApps	1	1
HKLM\Software\Microsoft\PCHealth\ErrorReporting	ShowUI	1	1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug	Auto	1	1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug	Debugger	drwtsn32 -p %ld -e %ld -g	1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows	AppInit_DLLs		1
HKLM\Software\Microsoft\Windows\CurrentVersion	DevicePath	%SystemRoot%\inf	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	DriverCachePath	%SystemRoot%\Driver Cache	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	LogLevel	0	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	ServicePackCachePath	c:\windows\ServicePackFiles\ServicePackCache	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	ServicePackSourcePath	D:\	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	SourcePath	D:\	2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	PC	2
HKLM\System\CurrentControlSet\Control\ProductOptions	ProductType	WinNT	1
HKLM\System\CurrentControlSet\Control\Terminal Server	TSAppCompat	0	3
HKLM\System\CurrentControlSet\Control\Terminal Server	TSUserEnabled	0	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Domain		1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Hostname	pc	1
HKLM\System\Setup	SystemSetupInProgress	0	2
HKLM\System\WPA\PnP	seed	1274198464	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Local Settings	%USERPROFILE%\Local Settings	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Personal	%USERPROFILE%\My Documents	1

2.b) 32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a462047d781 - File Activities

	- Files Created:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\b4fb_appcompat.txt

	- Files Read:

C:\WINDOWS\system32\winsock.dll

PIPE\lsarpc

	- Files Modified:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\b4fb_appcompat.txt

PIPE\lsarpc

	- File System Control Communication:

File	Control Code	Times
C:\	0x00090028	1
PIPE\lsarpc	0x0011C017	6

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	8

	- Memory Mapped Files:

File Name

C:\32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a462047d781

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

C:\WINDOWS\WindowsShell.Manifest

C:\WINDOWS\system32\Apphelp.dll

C:\WINDOWS\system32\MFC42.DLL

C:\WINDOWS\system32\SETUPAPI.dll

C:\WINDOWS\system32\SHELL32.dll

C:\WINDOWS\system32\WININET.dll

C:\WINDOWS\system32\WINSTA.dll

C:\WINDOWS\system32\WTSAPI32.dll

C:\WINDOWS\system32\advapi32.dll

C:\WINDOWS\system32\apphelp.dll

C:\WINDOWS\system32\comctl32.dll

C:\WINDOWS\system32\drwtsn32.exe

C:\WINDOWS\system32\dwwin.exe

C:\WINDOWS\system32\faultrep.dll

C:\WINDOWS\system32\gdi32.dll

C:\WINDOWS\system32\kernel32.dll

C:\WINDOWS\system32\mfc42.dll

C:\WINDOWS\system32\ntdll.dll

C:\WINDOWS\system32\ole32.dll

C:\WINDOWS\system32\oleaut32.dll

C:\WINDOWS\system32\shell32.dll

C:\WINDOWS\system32\user32.dll

C:\WINDOWS\system32\wininet.dll

C:\WINDOWS\system32\winsock.dll

C:\Windows\AppPatch\sysmain.sdb

2.c) 32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a462047d781 - Process Activities

	- Processes Created:

Executable	Command Line
C:\WINDOWS\system32\dwwin.exe
	C:\WINDOWS\system32\dwwin.exe -x -s 176
C:\WINDOWS\system32\drwtsn32.exe
	C:\WINDOWS\system32\drwtsn32 -p 1576 -e 140 -g

	- Remote Threads Created:

Affected Process

C:\WINDOWS\system32\dwwin.exe

C:\WINDOWS\system32\drwtsn32.exe

	- Foreign Memory Regions Read:

Process: C:\WINDOWS\system32\drwtsn32.exe

Process: C:\WINDOWS\system32\dwwin.exe

	- Foreign Memory Regions Written:

Process: C:\WINDOWS\system32\drwtsn32.exe

Process: C:\WINDOWS\system32\dwwin.exe

2.d) 32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a462047d781 - Other Activities

	- Windows SEH exceptions:

Description	Times
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x73e69cdc	1

3. dwwin.exe

	- General information about this executable

Analysis Reason:	Started by 32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a462047d781
Filename:	dwwin.exe
MD5:	86042f6f6a5287eaf9379c91d0bf72b6
SHA-1:	532bf74e6aead7438aa7264d01759a065410ee68
File Size:	180224 Bytes
Command Line:	C:\WINDOWS\system32\dwwin.exe -x -s 176
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.DLL	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\COMCTL32.DLL	0x5D090000	0x0009A000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\OLEAUT32.DLL	0x77120000	0x0008B000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\SHELL32.DLL	0x7C9C0000	0x00817000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\URLMON.DLL	0x7E1E0000	0x000A2000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\WININET.DLL	0x771B0000	0x000AA000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\1033\dwintl.dll	0x314C0000	0x0000C000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\sensapi.dll	0x722B0000	0x00005000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\riched20.dll	0x74E30000	0x0006D000
C:\WINDOWS\system32\imm32.dll	0x76390000	0x0001D000
C:\WINDOWS\system32\shfolder.dll	0x76780000	0x00009000
C:\WINDOWS\system32\PSAPI.DLL	0x76BF0000	0x0000B000
C:\WINDOWS\system32\rtutils.dll	0x76E80000	0x0000E000
C:\WINDOWS\system32\rasman.dll	0x76E90000	0x00012000
C:\WINDOWS\system32\TAPI32.dll	0x76EB0000	0x0002F000
C:\WINDOWS\system32\RASAPI32.DLL	0x76EE0000	0x0003C000

	- Popups

Window Name	Window Text	Screenshot	Number of Displayed Times
32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a	&Don't Send 32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a has encountered a problem and needs to close. We are sorry for the inconvenience. 32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a has encountered a problem and needs to close. We are sorry for the inconvenience. If you were in the middle of something, the information you were working on might be lost. Please tell Microsoft about this problem. We have created an error report that you can send to us. We will treat this report as confidential and anonymous. To see what data this error report contains, Details &Send Error Report		1

3.a) dwwin.exe - Registry Activities

	- Registry Values Modified:

Key	Name	New Value
HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings	ProxyEnable	0
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Common AppData	C:\Documents and Settings\All Users\Application Data
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths	Directory	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths	Paths	4
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1	CacheLimit	40852
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1	CachePath	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2	CacheLimit	40852
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2	CachePath	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache2
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3	CacheLimit	40852
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3	CachePath	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache3
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4	CacheLimit	40852
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4	CachePath	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	AppData	C:\Documents and Settings\Administrator\Application Data
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cookies	C:\Documents and Settings\Administrator\Cookies
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	History	C:\Documents and Settings\Administrator\Local Settings\History
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Personal	C:\Documents and Settings\Administrator\My Documents
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings	MigrateProxy	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings	ProxyEnable	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	SavedLegacySettings	0x3c0000000500000009000000000000000000000000000000000000000000

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\APPLICATION/X-INTERNET-SIGNUP	Default	0x00000000	1
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\APPLICATION/X-INTERNET-SIGNUP	DllFile	%SystemRoot%\system32\iedkcs32.dll	2
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\APPLICATION/X-INTERNET-SIGNUP	FileExtensions	.ins	2
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\APPLICATION/X-NS-PROXY-AUTOCONFIG	Default	0x01000000	1
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\APPLICATION/X-NS-PROXY-AUTOCONFIG	DllFile	%SystemRoot%\system32\jsproxy.dll	2
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\APPLICATION/X-NS-PROXY-AUTOCONFIG	FileExtensions	.pac;.jvs;.js	2
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\APPLICATION/X-NS-PROXY-AUTOCONFIG	Flags	0x01000000	1
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\	CUAS	0	1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	UrlEncoding	0x00000000	2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\SYSTEM\Setup	SystemSetupInProgress	0	1
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	aFormatTagCache	0x01000000100000000204000014000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	aFormatTagCache	0x01000000100000001100000014000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	aFormatTagCache	0x0100000010000000550000001e000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	aFormatTagCache	0x01000000100000000200000032000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	aFormatTagCache	0x01000000120000006001000016000000610100001c000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFormatTags	3	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	aFormatTagCache	0x010000001000000006000000120000000700000012000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFormatTags	3	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	aFormatTagCache	0x0100000010000000420000001c000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	aFormatTagCache	0x01000000100000003100000014000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	aFormatTagCache	0x01000000100000003001000016000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	aFormatTagCache	0x01000000100000002200000032000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	fdwSupport	1	1
HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS	*	1	1
HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL	*	1	1
HKLM\Software\Microsoft\Tracing	EnableConsoleTracing	0	1
HKLM\Software\Microsoft\Tracing\RASAPI32	ConsoleTracingMask	4294901760	2
HKLM\Software\Microsoft\Tracing\RASAPI32	EnableConsoleTracing	0	2
HKLM\Software\Microsoft\Tracing\RASAPI32	EnableFileTracing	0	2
HKLM\Software\Microsoft\Tracing\RASAPI32	FileDirectory	%windir%\tracing	4
HKLM\Software\Microsoft\Tracing\RASAPI32	FileTracingMask	4294901760	2
HKLM\Software\Microsoft\Tracing\RASAPI32	MaxFileSize	1048576	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion	DigitalProductId	0xa40000000300000037363438372d3634302d313435373233362d32333833	1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug	Debugger	drwtsn32 -p %ld -e %ld -g	4
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	midimapper		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.iac2	C:\WINDOWS\system32\iac25_32.ax	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.imaadpcm	imaadp32.acm	3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.l3acm		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msadpcm		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msaudio1		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg711		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg723		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msgsm610	msgsm32.acm	3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.sl_anet		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.trspch		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.I420		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.M261		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.M263		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.cvid		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv31		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv32		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv41		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv50		1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iyuv		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.mrle		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.msvc		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.uyvy		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.yuy2		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.yvu9		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.yvyu		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	wavemapper		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	AllUsersProfile	All Users	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	DefaultUserProfile	Default User	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	ProfilesDirectory	%SystemDrive%\Documents and Settings	4
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-842925246-1425521274-308236825-500	ProfileImagePath	%SystemDrive%\Documents and Settings\Administrator	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows	AppInit_DLLs		1
HKLM\Software\Microsoft\Windows\CurrentVersion	CommonFilesDir	C:\Program Files\Common Files	3
HKLM\Software\Microsoft\Windows\CurrentVersion	ProgramFilesDir	C:\Program Files	3
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Common AppData	%ALLUSERSPROFILE%\Application Data	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	PC	5
HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	wheel	1	1
HKLM\System\CurrentControlSet\Control\ProductOptions	ProductType	WinNT	1
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	ComSpec	%SystemRoot%\system32\cmd.exe	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	FP_NO_HOST_CHECK	NO	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	NUMBER_OF_PROCESSORS	1	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	OS	Windows_NT	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_ARCHITECTURE	x86	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_IDENTIFIER	x86 Family 6 Model 3 Stepping 3, GenuineIntel	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_LEVEL	6	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_REVISION	0303	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	Path	%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	TEMP	%SystemRoot%\TEMP	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	TMP	%SystemRoot%\TEMP	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	windir	%SystemRoot%	4
HKLM\System\CurrentControlSet\Control\Terminal Server	TSAppCompat	0	3
HKLM\System\CurrentControlSet\Control\Terminal Server	TSUserEnabled	0	1
HKLM\System\Setup	SystemSetupInProgress	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Environment	TEMP	%USERPROFILE%\Local Settings\Temp	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Environment	TMP	%USERPROFILE%\Local Settings\Temp	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle	Language Hotkey	1	6
HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle	Layout Hotkey	2	6
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EnableHttp1_1	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EnableNegotiate	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	MimeExclusionListForCache	multipart/mixed multipart/x-mixed-replace multipart/x-byteranges	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WarnOnPost	0x01000000	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Explorer\Settings	Anchor Color	0,0,255	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Multimedia\Audio	SystemFormats	CD Quality,Radio Quality,Telephone Quality	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows NT\CurrentVersion\Winlogon	ParseAutoexec	1	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	AppData	%USERPROFILE%\Application Data	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Cache	%USERPROFILE%\Local Settings\Temporary Internet Files	3
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Cookies	%USERPROFILE%\Cookies	3
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	History	%USERPROFILE%\Local Settings\History	3
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Local Settings	%USERPROFILE%\Local Settings	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Personal	%USERPROFILE%\My Documents	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache	Signature	Client UrlCache MMF Ver 5.2	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	CacheLimit	163410	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	CachePrefix		2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	PerUserItem	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	CacheLimit	8192	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	CachePrefix	Cookie:	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	PerUserItem	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	CacheLimit	8192	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	CachePrefix	Visited:	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	PerUserItem	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings	MigrateProxy	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings	ProxyEnable	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	DefaultConnectionSettings	0x3c0000000200000009000000000000000000000000000000000000000000	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	SavedLegacySettings	0x3c0000000400000009000000000000000000000000000000000000000000	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	APPDATA	C:\Documents and Settings\Administrator\Application Data	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	CLIENTNAME		4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	HOMEDRIVE	C:	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	HOMEPATH	\Documents and Settings\Administrator	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	HOMESHARE		4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	LOGONSERVER	\\PC	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	SESSIONNAME	Console	4

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\Software\Microsoft\Tracing\RASAPI32	0	Attributes Change,Value Change,Security Descriptor Change	2

3.b) dwwin.exe - File Activities

	- Files Deleted:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7F53B.dmp

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\b4fb_appcompat.txt

	- Files Created:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7F53B.dmp

	- Files Read:

C:\32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a462047d781

C:\WINDOWS\win.ini

PIPE\lsarpc

c:\autoexec.bat

	- Files Modified:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7F53B.dmp

PIPE\lsarpc

	- File System Control Communication:

File	Control Code	Times
C:\WINDOWS\system32	0x00090028	1
PIPE\lsarpc	0x0011C017	16

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	8

	- Memory Mapped Files:

File Name

C:\32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a462047d781

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7F53B.dmp

C:\WINDOWS\AppPatch\AcGenral.DLL

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

C:\WINDOWS\WindowsShell.Manifest

C:\WINDOWS\system32\1033\dwintl.dll

C:\WINDOWS\system32\ADVAPI32.dll

C:\WINDOWS\system32\Apphelp.dll

C:\WINDOWS\system32\COMCTL32.DLL

C:\WINDOWS\system32\CRYPT32.dll

C:\WINDOWS\system32\GDI32.dll

C:\WINDOWS\system32\MFC42.DLL

C:\WINDOWS\system32\MSACM32.dll

C:\WINDOWS\system32\MSASN1.dll

C:\WINDOWS\system32\MSCTF.dll

C:\WINDOWS\system32\NETAPI32.dll

C:\WINDOWS\system32\OLEAUT32.dll

C:\WINDOWS\system32\PSAPI.DLL

C:\WINDOWS\system32\RASAPI32.DLL

C:\WINDOWS\system32\RPCRT4.dll

C:\WINDOWS\system32\SETUPAPI.dll

C:\WINDOWS\system32\SHELL32.DLL

C:\WINDOWS\system32\SHELL32.dll

C:\WINDOWS\system32\SHLWAPI.dll

C:\WINDOWS\system32\Secur32.dll

C:\WINDOWS\system32\ShimEng.dll

C:\WINDOWS\system32\TAPI32.dll

C:\WINDOWS\system32\URLMON.DLL

C:\WINDOWS\system32\USER32.dll

C:\WINDOWS\system32\USERENV.dll

C:\WINDOWS\system32\UxTheme.dll

C:\WINDOWS\system32\VERSION.dll

C:\WINDOWS\system32\WININET.DLL

C:\WINDOWS\system32\WININET.dll

C:\WINDOWS\system32\WINMM.dll

C:\WINDOWS\system32\WINSTA.dll

C:\WINDOWS\system32\WS2HELP.dll

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\WTSAPI32.dll

C:\WINDOWS\system32\comctl32.dll

C:\WINDOWS\system32\faultrep.dll

C:\WINDOWS\system32\imm32.dll

C:\WINDOWS\system32\kernel32.dll

C:\WINDOWS\system32\msvcrt.dll

C:\WINDOWS\system32\ntdll.dll

C:\WINDOWS\system32\ole32.dll

C:\WINDOWS\system32\rasman.dll

C:\WINDOWS\system32\riched20.dll

C:\WINDOWS\system32\rtutils.dll

C:\WINDOWS\system32\sensapi.dll

C:\WINDOWS\system32\shfolder.dll

C:\Windows\AppPatch\sysmain.sdb

3.c) dwwin.exe - Process Activities

	- Foreign Memory Regions Read:

Process: C:\32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a462047d781

3.d) dwwin.exe - Other Activities

	- Mutexes Created:

CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500

CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500

CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500

CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500

CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500

CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500

MSCTF.Shared.MUTEX.IM

SHIMLIB_LOG_MUTEX

ZonesCacheCounterMutex

ZonesCounterMutex

ZonesLockedCacheCounterMutex

	- Keyboard Keys Monitored:

Virtual Key Code	Times
VK_MENU (18)	2
VK_CONTROL (17)	2
VK_SHIFT (16)	2
VK_LWIN (91)	2
VK_RWIN (92)	2

4. drwtsn32.exe

	- General information about this executable

Analysis Reason:	Started by 32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a462047d781
Filename:	drwtsn32.exe
MD5:	c9f5e1de6da983e89e714ed80c11f000
SHA-1:	1717b633478fb107d3c26344f710328b93ae550c
File Size:	45568 Bytes
Command Line:	C:\WINDOWS\system32\drwtsn32 -p 1576 -e 140 -g
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\dbgeng.dll	0x6D590000	0x000F6000
C:\WINDOWS\system32\DBGHELP.dll	0x59A60000	0x000A1000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntsdexts.dll	0x5F170000	0x0000C000
C:\WINDOWS\system32\exts.dll	0x69480000	0x00022000
C:\WINDOWS\system32\psapi.dll	0x76BF0000	0x0000B000

4.a) drwtsn32.exe - Registry Activities

	- Registry Values Modified:

Key	Name	New Value
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Common AppData	C:\Documents and Settings\All Users\Application Data
HKLM\software\microsoft\DrWatson	NumberOfCrashes	1

	- Registry Values Read:

Key	Name	Value	Times
HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Identifier	x86 Family 6 Model 3 Stepping 3	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion	CurrentBuildNumber	2600	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion	CurrentType	Uniprocessor Free	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion	RegisteredOrganization	TU Wien, Campuslizenz	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion	RegisteredOwner	Ihr Benutzername	1
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\SYSTEM\CurrentControlSet\Control\Windows	CSDVersion	768	1
HKLM\SYSTEM\Setup	SystemSetupInProgress	0	1
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	aFormatTagCache	0x01000000100000000204000014000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	aFormatTagCache	0x01000000100000001100000014000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	aFormatTagCache	0x0100000010000000550000001e000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	aFormatTagCache	0x01000000100000000200000032000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	aFormatTagCache	0x01000000120000006001000016000000610100001c000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFormatTags	3	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	aFormatTagCache	0x010000001000000006000000120000000700000012000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFormatTags	3	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	aFormatTagCache	0x0100000010000000420000001c000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	aFormatTagCache	0x01000000100000003100000014000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	aFormatTagCache	0x01000000100000003001000016000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	aFormatTagCache	0x01000000100000002200000032000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	fdwSupport	1	1
HKLM\Software\Microsoft\Windows NT\CurrentVersion	CurrentType	Uniprocessor Free	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	midimapper		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.iac2		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.imaadpcm		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.l3acm		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msadpcm		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msaudio1		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg711		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg723	msg723.acm	3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msgsm610		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.sl_anet		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.trspch	tssoft32.acm	3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.I420		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.M261		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.M263		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.cvid		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv31		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv32		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv41		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv50		1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iyuv		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.mrle		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.msvc		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.uyvy		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.yuy2		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.yvu9		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.yvyu		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	wavemapper		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows	AppInit_DLLs		1
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Common AppData	%ALLUSERSPROFILE%\Application Data	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	PC	4
HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	wheel	1	1
HKLM\System\CurrentControlSet\Control\ProductOptions	ProductType	WinNT	1
HKLM\System\CurrentControlSet\Control\Terminal Server	TSAppCompat	0	1
HKLM\software\microsoft\DrWatson	AppendToLogFile	1	1
HKLM\software\microsoft\DrWatson	CrashDumpType	1	1
HKLM\software\microsoft\DrWatson	CreateCrashDump	1	1
HKLM\software\microsoft\DrWatson	DumpAllThreads	1	1
HKLM\software\microsoft\DrWatson	DumpSymbols	0	1
HKLM\software\microsoft\DrWatson	Instructions	10	1
HKLM\software\microsoft\DrWatson	MaximumCrashes	10	1
HKLM\software\microsoft\DrWatson	NumberOfCrashes	0	2
HKLM\software\microsoft\DrWatson	SoundNotification	0	1
HKLM\software\microsoft\DrWatson	VisualNotification	0	1
HKLM\software\microsoft\DrWatson	WaveFile		1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Multimedia\Audio	SystemFormats	CD Quality,Radio Quality,Telephone Quality	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Local Settings	%USERPROFILE%\Local Settings	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Personal	%USERPROFILE%\My Documents	1

4.b) drwtsn32.exe - File Activities

	- Files Created:

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp

	- Files Read:

C:\32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a462047d781

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log

PIPE\lsarpc

	- Files Modified:

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp

PIPE\lsarpc

	- Directories Created:

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	3

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	8

	- Memory Mapped Files:

File Name

C:\32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a462047d781

C:\WINDOWS\AppPatch\AcGenral.DLL

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

C:\WINDOWS\WindowsShell.Manifest

C:\WINDOWS\system32\ADVAPI32.dll

C:\WINDOWS\system32\Apphelp.dll

C:\WINDOWS\system32\CRYPT32.dll

C:\WINDOWS\system32\DBGHELP.dll

C:\WINDOWS\system32\GDI32.dll

C:\WINDOWS\system32\MFC42.DLL

C:\WINDOWS\system32\MSACM32.dll

C:\WINDOWS\system32\MSASN1.dll

C:\WINDOWS\system32\OLEAUT32.dll

C:\WINDOWS\system32\RPCRT4.dll

C:\WINDOWS\system32\SHELL32.dll

C:\WINDOWS\system32\SHLWAPI.dll

C:\WINDOWS\system32\Secur32.dll

C:\WINDOWS\system32\ShimEng.dll

C:\WINDOWS\system32\USER32.dll

C:\WINDOWS\system32\UxTheme.dll

C:\WINDOWS\system32\VERSION.dll

C:\WINDOWS\system32\WININET.dll

C:\WINDOWS\system32\WINMM.dll

C:\WINDOWS\system32\comctl32.dll

C:\WINDOWS\system32\dbgeng.dll

C:\WINDOWS\system32\exts.dll

C:\WINDOWS\system32\kernel32.dll

C:\WINDOWS\system32\msvcrt.dll

C:\WINDOWS\system32\ntdll.dll

C:\WINDOWS\system32\ntsdexts.dll

C:\WINDOWS\system32\ole32.dll

C:\WINDOWS\system32\psapi.dll

C:\Windows\AppPatch\sysmain.sdb

4.c) drwtsn32.exe - Process Activities

	- Processes Killed:

C:\32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a462047d781

	- Remote Threads Created:

Affected Process

C:\32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a462047d781

	- Foreign Memory Regions Read:

Process: C:\32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a462047d781

Process: C:\Program Files\Messenger\msmsgs.exe

Process: C:\WINDOWS\explorer.exe

Process: C:\WINDOWS\system32\alg.exe

Process: C:\WINDOWS\system32\cmd.exe

Process: C:\WINDOWS\system32\csrss.exe

Process: C:\WINDOWS\system32\ctfmon.exe

Process: C:\WINDOWS\system32\drwtsn32.exe

Process: C:\WINDOWS\system32\lsass.exe

Process: C:\WINDOWS\system32\services.exe

Process: C:\WINDOWS\system32\smss.exe

Process: C:\WINDOWS\system32\spoolsv.exe

Process: C:\WINDOWS\system32\svchost.exe

Process: C:\WINDOWS\system32\winlogon.exe

Process: C:\WINDOWS\system32\wscntfy.exe

Process: C:\WINDOWS\system32\wuauclt.exe

Process: C:\jwsk.exeor.exe

Process: C:\sqlk.exeler.exe

	- Foreign Memory Regions Written:

Process: C:\32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a462047d781

Analysis Report for 32847400d72ef276c2ee5a462047d781-32847400d72ef276c2ee5a462047d781

Summary:

Table of Contents