___ __ _ + /- / | ____ __ __/ /_ (_)____ -\ + /s h- / /| | / __ \/ / / / __ \/ / ___/ -h s\ oh-:d/ / ___ |/ / / / /_/ / /_/ / (__ ) /d:-ho shh+hy- /_/ |_/_/ /_/\__,_/_.___/_/____/ -yh+hhs -:+hhdhyys/- -\syyhdhh+:- -//////dhhhhhddhhyss- Analysis Report -ssyhhddhhhhhd\\\\\\- /++/////oydddddhhyys/ ooooooooooooooooooooo \syyhhdddddyo\\\\\++\ -+++///////odh/- -+hdo\\\\\\\+++- +++++++++//yy+/: :\+yy\\+++++++++ /+soss+sys//yyo/os++o+: :+o++so\oyy\\sys+ssos+\ +oyyyys++o/+yss/+/oyyyy: :yyyyo\+\ssy+\o++syyyyo+ +oyyyyyyso+os/o/+yyyyyy/ \yyyyyy+\o\so+osyyyyyyo+ [#############################################################################] Analysis Report for 57138338 MD5: 40fabed8658dc74c8389fca50fbf7580 [#############################################################################] Summary: - Write to foreign memory areas: This executable tampers with the execution of another process. - Packed Binary: This executable is protected with a packer in order to prevent it from being reverse engineered. - Execution did not terminate correctly: The executable crashed. - Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web. - Spawns Processes: The executable produces processes during the execution. - Performs Registry Activities: The executable creates and/or modifies registry entries. [=============================================================================] Table of Contents [=============================================================================] - General information - 57138338.exe a) Registry Activities b) File Activities c) Process Activities d) Other Activities - dwwin.exe a) Registry Activities b) File Activities c) Process Activities - drwtsn32.exe a) Registry Activities b) File Activities c) Process Activities [#############################################################################] 1. General Information [#############################################################################] [=============================================================================] Information about Anubis' invocation [=============================================================================] Time needed: 247 s Report created: 01/19/12, 00:24:01 UTC Termination reason: All tracked processes have exited Program version: 1.75.3394 [#############################################################################] 2. 57138338.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Primary Analysis Subject Filename: 57138338.exe MD5: 40fabed8658dc74c8389fca50fbf7580 SHA-1: f6a6e13ebc8d7b01fe07d858fa4f9a8a5c2c785d File Size: 1564672 Bytes Command Line: "C:\57138338.exe" Process-status at analysis end: dead Exit Code: -1073741794 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\comdlg32.dll ], Base Address: [0x763B0000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\COMCTL32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\xpsp2res.dll ], Base Address: [0x00D50000 ], Size: [0x002C5000 ] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\faultrep.dll ], Base Address: [0x69450000 ], Size: [0x00016000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\wbem\wbemsvc.dll ], Base Address: [0x74ED0000 ], Size: [0x0000E000 ] Module Name: [ C:\WINDOWS\system32\wbem\wbemprox.dll ], Base Address: [0x74EF0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\wbem\wbemcomn.dll ], Base Address: [0x75290000 ], Size: [0x00037000 ] Module Name: [ C:\WINDOWS\system32\wbem\fastprox.dll ], Base Address: [0x75690000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\MSVCP60.dll ], Base Address: [0x76080000 ], Size: [0x00065000 ] Module Name: [ C:\WINDOWS\system32\WINSTA.dll ], Base Address: [0x76360000 ], Size: [0x00010000 ] Module Name: [ C:\WINDOWS\system32\NTDSAPI.dll ], Base Address: [0x767A0000 ], Size: [0x00013000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\DNSAPI.dll ], Base Address: [0x76F20000 ], Size: [0x00027000 ] Module Name: [ C:\WINDOWS\system32\WTSAPI32.dll ], Base Address: [0x76F50000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ], Base Address: [0x76F60000 ], Size: [0x0002C000 ] Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ], Base Address: [0x76FD0000 ], Size: [0x0007F000 ] Module Name: [ C:\WINDOWS\system32\COMRes.dll ], Base Address: [0x77050000 ], Size: [0x000C5000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\SETUPAPI.dll ], Base Address: [0x77920000 ], Size: [0x000F3000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\apphelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] [=============================================================================] SigBuster Output [=============================================================================] Armadillo v3.78-4.xx SN:712 [=============================================================================] 2.a) 57138338.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\CLASSES\APPID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} ], Value Name: [ LocalService ], Value: [ winmgmt ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\INPROCSERVER32 ], Value Name: [ ], Value: [ C:\WINDOWS\system32\wbem\fastprox.dll ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\INPROCSERVER32 ], Value Name: [ ThreadingModel ], Value: [ Both ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\INPROCSERVER32 ], Value Name: [ ], Value: [ C:\WINDOWS\system32\wbem\wbemprox.dll ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\INPROCSERVER32 ], Value Name: [ ThreadingModel ], Value: [ Both ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\INPROCSERVER32 ], Value Name: [ ], Value: [ C:\WINDOWS\system32\wbem\wbemsvc.dll ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\INPROCSERVER32 ], Value Name: [ ThreadingModel ], Value: [ Both ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} ], Value Name: [ AppID ], Value: [ {8BC3F05E-D86B-11D0-A075-00C04FB68820} ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\INPROCSERVER32 ], Value Name: [ ], Value: [ C:\WINDOWS\system32\wbem\fastprox.dll ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\INPROCSERVER32 ], Value Name: [ ThreadingModel ], Value: [ Both ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\INTERFACE\{027947E1-D731-11CE-A357-000000000001}\PROXYSTUBCLSID32 ], Value Name: [ ], Value: [ {1B1CAD8C-2DAB-11D2-B604-00104B703EFD} ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\INTERFACE\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\PROXYSTUBCLSID32 ], Value Name: [ ], Value: [ {7C857801-7381-11CF-884D-00AA004B2E24} ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\INTERFACE\{423EC01E-2E35-11D2-B604-00104B703EFD}\PROXYSTUBCLSID32 ], Value Name: [ ], Value: [ {7C857801-7381-11CF-884D-00AA004B2E24} ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\INTERFACE\{9556DC99-828C-11CF-A37E-00AA003240C7}\PROXYSTUBCLSID32 ], Value Name: [ ], Value: [ {D68AF00A-29CB-43FA-8504-CE99A996D9EA} ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\INTERFACE\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\PROXYSTUBCLSID32 ], Value Name: [ ], Value: [ {7C857801-7381-11CF-884D-00AA004B2E24} ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\INTERFACE\{F309AD18-D86A-11D0-A075-00C04FB68820}\PROXYSTUBCLSID32 ], Value Name: [ ], Value: [ {7C857801-7381-11CF-884D-00AA004B2E24} ], 1 time Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time Key: [ HKLM\SYSTEM\Setup ], Value Name: [ OsLoaderPath ], Value: [ \ ], 2 times Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemPartition ], Value: [ \Device\HarddiskVolume1 ], 2 times Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time Key: [ HKLM\SYSTEM\WPA\MediaCenter ], Value Name: [ Installed ], Value: [ 0 ], 2 times Key: [ HKLM\Software\Microsoft\COM3 ], Value Name: [ Com+Enabled ], Value: [ 1 ], 2 times Key: [ HKLM\Software\Microsoft\COM3 ], Value Name: [ REGDBVersion ], Value: [ 0x0b00000000000000 ], 10 times Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ AllOrNone ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ DoReport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeKernelFaults ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeMicrosoftApps ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeWindowsApps ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ ShowUI ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\WBEM\CIMOM ], Value Name: [ Log File Max Size ], Value: [ 65536 ], 1 time Key: [ HKLM\Software\Microsoft\WBEM\CIMOM ], Value Name: [ Logging ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\WBEM\CIMOM ], Value Name: [ Logging Directory ], Value: [ C:\WINDOWS\system32\WBEM\Logs\ ], 2 times Key: [ HKLM\Software\Microsoft\WBEM\CIMOM ], Value Name: [ ProcessID ], Value: [ 680 ], 1 time Key: [ HKLM\Software\Microsoft\WBEM\CIMOM ], Value Name: [ Repository Directory ], Value: [ %SystemRoot%\system32\WBEM\Repository ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ], Value Name: [ Auto ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ], Value Name: [ Debugger ], Value: [ drwtsn32 -p %ld -e %ld -g ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], Value Name: [ DevicePath ], Value: [ %SystemRoot%\inf ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ DriverCachePath ], Value: [ %SystemRoot%\Driver Cache ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ LogLevel ], Value: [ 0 ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ ServicePackCachePath ], Value: [ c:\windows\ServicePackFiles\ServicePackCache ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ ServicePackSourcePath ], Value: [ D:\ ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ SourcePath ], Value: [ D:\ ], 2 times Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ PolicyScope ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemSize ], Value: [ 779 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemSize ], Value: [ 517 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemSize ], Value: [ 918 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemSize ], Value: [ 229 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemSize ], Value: [ 370 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], Value Name: [ ComputerName ], Value: [ PC ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ], Value Name: [ ProductType ], Value: [ WinNT ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\LDAP ], Value Name: [ LdapClientIntegrity ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Domain ], Value: [ ], 3 times Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Hostname ], Value: [ pc ], 3 times Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ UseDomainNameDevolution ], Value: [ 0 ], 1 time Key: [ HKLM\System\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 3 times Key: [ HKLM\System\WPA\PnP ], Value Name: [ seed ], Value: [ 1274198464 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Monitored Registry Keys: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\Software\Classes ], Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 3 times Key: [ HKLM\Software\Classes\CLSID ], Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 2 times Key: [ HKLM\Software\Microsoft\COM3 ], Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 6 times Key: [ HKU ], Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 3 times [=============================================================================] 2.b) 57138338.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bd15_appcompat.txt ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\Registration\R00000000000b.clb ] File Name: [ C:\WINDOWS\system32\winsock.dll ] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bd15_appcompat.txt ] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 9 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ] File Name: [ C:\WINDOWS\WindowsShell.Manifest ] File Name: [ C:\WINDOWS\system32\Apphelp.dll ] File Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ] File Name: [ C:\WINDOWS\system32\COMCTL32.dll ] File Name: [ C:\WINDOWS\system32\COMRes.dll ] File Name: [ C:\WINDOWS\system32\DNSAPI.dll ] File Name: [ C:\WINDOWS\system32\MSVCP60.dll ] File Name: [ C:\WINDOWS\system32\NTDSAPI.dll ] File Name: [ C:\WINDOWS\system32\SETUPAPI.dll ] File Name: [ C:\WINDOWS\system32\SHELL32.dll ] File Name: [ C:\WINDOWS\system32\WININET.dll ] File Name: [ C:\WINDOWS\system32\WINSTA.dll ] File Name: [ C:\WINDOWS\system32\WS2HELP.dll ] File Name: [ C:\WINDOWS\system32\WS2_32.dll ] File Name: [ C:\WINDOWS\system32\WTSAPI32.dll ] File Name: [ C:\WINDOWS\system32\advapi32.dll ] File Name: [ C:\WINDOWS\system32\apphelp.dll ] File Name: [ C:\WINDOWS\system32\drwtsn32.exe ] File Name: [ C:\WINDOWS\system32\dwwin.exe ] File Name: [ C:\WINDOWS\system32\faultrep.dll ] File Name: [ C:\WINDOWS\system32\gdi32.dll ] File Name: [ C:\WINDOWS\system32\kernel32.dll ] File Name: [ C:\WINDOWS\system32\ntdll.dll ] File Name: [ C:\WINDOWS\system32\ole32.dll ] File Name: [ C:\WINDOWS\system32\oleaut32.dll ] File Name: [ C:\WINDOWS\system32\rpcss.dll ] File Name: [ C:\WINDOWS\system32\shell32.dll ] File Name: [ C:\WINDOWS\system32\user32.dll ] File Name: [ C:\WINDOWS\system32\wbem\fastprox.dll ] File Name: [ C:\WINDOWS\system32\wbem\wbemcomn.dll ] File Name: [ C:\WINDOWS\system32\wbem\wbemprox.dll ] File Name: [ C:\WINDOWS\system32\wbem\wbemsvc.dll ] File Name: [ C:\WINDOWS\system32\wininet.dll ] File Name: [ C:\WINDOWS\system32\winlogon.exe ] File Name: [ C:\WINDOWS\system32\winsock.dll ] File Name: [ C:\WINDOWS\system32\xpsp2res.dll ] File Name: [ C:\Windows\AppPatch\sysmain.sdb ] [=============================================================================] 2.c) 57138338.exe - Process Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Processes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Executable: [ C:\WINDOWS\system32\dwwin.exe ], Command Line: [ ] Executable: [ ], Command Line: [ C:\WINDOWS\system32\dwwin.exe -x -s 392 ] Executable: [ C:\WINDOWS\system32\drwtsn32.exe ], Command Line: [ ] Executable: [ ], Command Line: [ C:\WINDOWS\system32\drwtsn32 -p 1192 -e 368 -g ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Remote Threads Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Affected Process: [ C:\WINDOWS\system32\dwwin.exe ] Affected Process: [ C:\WINDOWS\system32\drwtsn32.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\WINDOWS\system32\drwtsn32.exe ] Process: [ C:\WINDOWS\system32\dwwin.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Written: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\WINDOWS\system32\drwtsn32.exe ] Process: [ C:\WINDOWS\system32\dwwin.exe ] [=============================================================================] 2.d) 57138338.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutexes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutex: [ DBWinMutex ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Windows SEH exceptions: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x4c31b3 ], 1 time Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x4c3888 ], 1 time Description: [ Exception 0xc000001e at 0x4cc5c3 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cc5c5 ], 1 time Description: [ Exception 0xc000001e at 0x4cc51f ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cc521 ], 1 time Description: [ Exception 0xc000001e at 0x4cc47d ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cc47f ], 1 time Description: [ Exception 0xc000001e at 0x4cc3db ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cc3dd ], 1 time Description: [ Exception 0xc000001e at 0x4cc337 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cc339 ], 1 time Description: [ Exception 0xc000001e at 0x4cc295 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cc297 ], 1 time Description: [ Exception 0xc000001e at 0x4cc1f1 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cc1f3 ], 1 time Description: [ Exception 0xc000001e at 0x4cc14d ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cc14f ], 1 time Description: [ Exception 0xc000001e at 0x4cc0ab ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cc0ad ], 1 time Description: [ Exception 0xc000001e at 0x4cc008 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cc00a ], 1 time Description: [ Exception 0xc000001e at 0x4cbf65 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cbf67 ], 1 time Description: [ Exception 0xc000001e at 0x4cbec2 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cbec4 ], 1 time Description: [ Exception 0xc000001e at 0x4cbe20 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cbe22 ], 1 time Description: [ Exception 0xc000001e at 0x4cbd7e ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cbd80 ], 1 time Description: [ Exception 0xc000001e at 0x4cbcdc ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cbcde ], 1 time Description: [ Exception 0xc000001e at 0x4cbc3a ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cbc3c ], 1 time Description: [ Exception 0xc000001e at 0x4cbb98 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cbb9a ], 1 time Description: [ Exception 0xc000001e at 0x4cbaf6 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cbaf8 ], 1 time Description: [ Exception 0xc000001e at 0x4cba52 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cba54 ], 1 time Description: [ Exception 0xc000001e at 0x4cb9ae ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cb9b0 ], 1 time Description: [ Exception 0xc000001e at 0x4cb90a ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cb90c ], 1 time Description: [ Exception 0xc000001e at 0x4cb868 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cb86a ], 1 time Description: [ Exception 0xc000001e at 0x4cb7c4 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cb7c6 ], 1 time Description: [ Exception 0xc000001e at 0x4cb721 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cb723 ], 1 time Description: [ Exception 0xc000001e at 0x4cb67d ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cb67f ], 1 time Description: [ Exception 0xc000001e at 0x4cb5d9 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cb5db ], 1 time Description: [ Exception 0xc000001e at 0x4cb535 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cb537 ], 1 time Description: [ Exception 0xc000001e at 0x4cb492 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cb494 ], 1 time Description: [ Exception 0xc000001e at 0x4cb3f0 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cb3f2 ], 1 time Description: [ Exception 0xc000001e at 0x4cb34d ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cb34f ], 1 time Description: [ Exception 0xc000001e at 0x4cb2ab ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cb2ad ], 1 time Description: [ Exception 0xc000001e at 0x4cb207 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cb209 ], 1 time Description: [ Exception 0xc000001e at 0x4cb165 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cb167 ], 1 time Description: [ Exception 0xc000001e at 0x4cb0c2 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cb0c4 ], 1 time Description: [ Exception 0xc000001e at 0x4cb020 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cb022 ], 1 time Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x4c6a84 ], 1 time Description: [ Exception 0xc000001e at 0x4cafa1 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cafa3 ], 1 time Description: [ Exception 0xc000001e at 0x4caf4a ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4caf4c ], 1 time Description: [ Exception 0xc000001e at 0x4caef4 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4caef6 ], 1 time Description: [ Exception 0xc000001e at 0x4cae9f ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4caea1 ], 1 time Description: [ Exception 0xc000001e at 0x4cae48 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cae4a ], 1 time Description: [ Exception 0xc000001e at 0x4cadf3 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cadf5 ], 1 time Description: [ Exception 0xc000001e at 0x4cad9e ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cada0 ], 1 time Description: [ Exception 0xc000001e at 0x4cad49 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cad4b ], 1 time Description: [ Exception 0xc000001e at 0x4cacf3 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cacf5 ], 1 time Description: [ Exception 0xc000001e at 0x4cac9e ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4caca0 ], 1 time Description: [ Exception 0xc000001e at 0x4cac47 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cac49 ], 1 time Description: [ Exception 0xc000001e at 0x4cabf2 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cabf4 ], 1 time Description: [ Exception 0xc000001e at 0x4cab9c ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cab9e ], 1 time Description: [ Exception 0xc000001e at 0x4cab47 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4cab49 ], 1 time Description: [ Exception 0xc000001e at 0x4caaf2 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4caaf4 ], 1 time Description: [ Exception 0xc000001e at 0x4caa9d ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4caa9f ], 1 time Description: [ Exception 0xc000001e at 0x4caa47 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4caa49 ], 1 time Description: [ Exception 0xc000001e at 0x4ca9f1 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca9f3 ], 1 time Description: [ Exception 0xc000001e at 0x4ca99c ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca99e ], 1 time Description: [ Exception 0xc000001e at 0x4ca947 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca949 ], 1 time Description: [ Exception 0xc000001e at 0x4ca8f2 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca8f4 ], 1 time Description: [ Exception 0xc000001e at 0x4ca89c ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca89e ], 1 time Description: [ Exception 0xc000001e at 0x4ca845 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca847 ], 1 time Description: [ Exception 0xc000001e at 0x4ca7f0 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca7f2 ], 1 time Description: [ Exception 0xc000001e at 0x4ca79a ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca79c ], 1 time Description: [ Exception 0xc000001e at 0x4ca745 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca747 ], 1 time Description: [ Exception 0xc000001e at 0x4ca6f0 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca6f2 ], 1 time Description: [ Exception 0xc000001e at 0x4ca699 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca69b ], 1 time Description: [ Exception 0xc000001e at 0x4ca643 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca645 ], 1 time Description: [ Exception 0xc000001e at 0x4ca5ec ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca5ee ], 1 time Description: [ Exception 0xc000001e at 0x4ca597 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca599 ], 1 time Description: [ Exception 0xc000001e at 0x4ca540 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca542 ], 1 time Description: [ Exception 0xc000001e at 0x4ca4eb ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca4ed ], 1 time Description: [ Exception 0xc000001e at 0x4ca496 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca498 ], 1 time Description: [ Exception 0xc000001e at 0x4ca441 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca443 ], 1 time Description: [ Exception 0xc000001e at 0x4ca3ea ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca3ec ], 1 time Description: [ Exception 0xc000001e at 0x4ca395 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca397 ], 1 time Description: [ Exception 0xc000001e at 0x4ca340 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca342 ], 1 time Description: [ Exception 0xc000001e at 0x4ca2e9 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca2eb ], 1 time Description: [ Exception 0xc000001e at 0x4ca292 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca294 ], 1 time Description: [ Exception 0xc000001e at 0x4ca23c ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca23e ], 1 time Description: [ Exception 0xc000001e at 0x4ca1e5 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca1e7 ], 1 time Description: [ Exception 0xc000001e at 0x4ca190 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca192 ], 1 time Description: [ Exception 0xc000001e at 0x4ca13b ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca13d ], 1 time Description: [ Exception 0xc000001e at 0x4ca0e6 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca0e8 ], 1 time Description: [ Exception 0xc000001e at 0x4ca091 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca093 ], 1 time Description: [ Exception 0xc000001e at 0x4ca03c ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ca03e ], 1 time Description: [ Exception 0xc000001e at 0x4c9fe5 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c9fe7 ], 1 time Description: [ Exception 0xc000001e at 0x4c9f90 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c9f92 ], 1 time Description: [ Exception 0xc000001e at 0x4c9f3b ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c9f3d ], 1 time Description: [ Exception 0xc000001e at 0x4c9ee4 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c9ee6 ], 1 time Description: [ Exception 0xc000001e at 0x4c9e8d ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c9e8f ], 1 time Description: [ Exception 0xc000001e at 0x4c9e36 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c9e38 ], 1 time Description: [ Exception 0xc000001e at 0x4c9de1 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c9de3 ], 1 time Description: [ Exception 0xc000001e at 0x4c9d8b ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c9d8d ], 1 time Description: [ Exception 0xc000001e at 0x4c9d36 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c9d38 ], 1 time Description: [ Exception 0xc000001e at 0x4c9ce1 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c9ce3 ], 1 time Description: [ Exception 0xc000001e at 0x4c9c8c ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c9c8e ], 1 time Description: [ Exception 0xc000001e at 0x4c9c35 ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c9c37 ], 1 time Description: [ Exception 0xc000001e at 0x4c9bdf ], 1 time Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4c9be1 ], 1 time Description: [ Exception 0xc000001e at 0x4c8bb2 ], 1 time Description: [ Exception 0xc000001e at 0x4c8ceb ], 1 time Description: [ Exception 0x40010006 at 0x7c812aeb ], 1 time Description: [ Exception 0xc000001e at 0xc839c9 ], 2 times [#############################################################################] 3. dwwin.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Started by 57138338.exe Filename: dwwin.exe MD5: 86042f6f6a5287eaf9379c91d0bf72b6 SHA-1: 532bf74e6aead7438aa7264d01759a065410ee68 File Size: 180224 Bytes Command Line: C:\WINDOWS\system32\dwwin.exe -x -s 392 Process-status at analysis end: dead Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.DLL ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\COMCTL32.DLL ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.DLL ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.DLL ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\URLMON.DLL ], Base Address: [0x7E1E0000 ], Size: [0x000A2000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WININET.DLL ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ], Base Address: [0x6F880000 ], Size: [0x001CA000 ] Module Name: [ C:\WINDOWS\system32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\MSACM32.dll ], Base Address: [0x77BE0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\UxTheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\1033\dwintl.dll ], Base Address: [0x314C0000 ], Size: [0x0000C000 ] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\sensapi.dll ], Base Address: [0x722B0000 ], Size: [0x00005000 ] Module Name: [ C:\WINDOWS\system32\MSCTF.dll ], Base Address: [0x74720000 ], Size: [0x0004C000 ] Module Name: [ C:\WINDOWS\system32\riched20.dll ], Base Address: [0x74E30000 ], Size: [0x0006D000 ] Module Name: [ C:\WINDOWS\system32\imm32.dll ], Base Address: [0x76390000 ], Size: [0x0001D000 ] Module Name: [ C:\WINDOWS\system32\shfolder.dll ], Base Address: [0x76780000 ], Size: [0x00009000 ] Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ], Base Address: [0x76BF0000 ], Size: [0x0000B000 ] Module Name: [ C:\WINDOWS\system32\rtutils.dll ], Base Address: [0x76E80000 ], Size: [0x0000E000 ] Module Name: [ C:\WINDOWS\system32\rasman.dll ], Base Address: [0x76E90000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\TAPI32.dll ], Base Address: [0x76EB0000 ], Size: [0x0002F000 ] Module Name: [ C:\WINDOWS\system32\RASAPI32.DLL ], Base Address: [0x76EE0000 ], Size: [0x0003C000 ] [=============================================================================] Popups [=============================================================================] Window Name: 57138338.exe Displayed Times: 1 Window Text: &Don't Send 57138338.exe has encountered a problem and needs to close. We are sorry for the inconvenience. 57138338.exe has encountered a problem and needs to close. We are sorry for the inconvenience. If you were in the middle of something, the information you were working on might be lost. Please tell Microsoft about this problem. We have created an error report that you can send to us. We will treat this report as confidential and anonymous. To see what data this error report contains, Details &Send Error Report [=============================================================================] 3.a) dwwin.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings ], Value Name: [ ProxyEnable ], New Value: [ 0 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Common AppData ], New Value: [ C:\Documents and Settings\All Users\Application Data ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths ], Value Name: [ Directory ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths ], Value Name: [ Paths ], New Value: [ 4 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 ], Value Name: [ CacheLimit ], New Value: [ 40852 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 ], Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache1 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 ], Value Name: [ CacheLimit ], New Value: [ 40852 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 ], Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache2 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 ], Value Name: [ CacheLimit ], New Value: [ 40852 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 ], Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache3 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 ], Value Name: [ CacheLimit ], New Value: [ 40852 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 ], Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache4 ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ AppData ], New Value: [ C:\Documents and Settings\Administrator\Application Data ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cache ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cookies ], New Value: [ C:\Documents and Settings\Administrator\Cookies ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ History ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\History ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Personal ], New Value: [ C:\Documents and Settings\Administrator\My Documents ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ], Value Name: [ MigrateProxy ], New Value: [ 1 ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ], Value Name: [ ProxyEnable ], New Value: [ 0 ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ], Value Name: [ SavedLegacySettings ], New Value: [ 0x3c0000001600000001000000000000000000000000000000040000000000 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ], Value Name: [ CUAS ], Value: [ 0 ], 1 time Key: [ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], Value Name: [ UrlEncoding ], Value: [ 0x00000000 ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time Key: [ HKLM\SYSTEM\WPA\MediaCenter ], Value Name: [ Installed ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000204000014000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000001100000014000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000550000001e000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000200000032000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000120000006001000016000000610100001c000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], Value Name: [ cFormatTags ], Value: [ 3 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], Value Name: [ aFormatTagCache ], Value: [ 0x010000001000000006000000120000000700000012000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], Value Name: [ cFormatTags ], Value: [ 3 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000420000001c000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003100000014000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003001000016000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000002200000032000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS ], Value Name: [ * ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL ], Value Name: [ * ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Tracing ], Value Name: [ EnableConsoleTracing ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Value Name: [ ConsoleTracingMask ], Value: [ 4294901760 ], 2 times Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Value Name: [ EnableConsoleTracing ], Value: [ 0 ], 2 times Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Value Name: [ EnableFileTracing ], Value: [ 0 ], 2 times Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Value Name: [ FileDirectory ], Value: [ %windir%\tracing ], 4 times Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Value Name: [ FileTracingMask ], Value: [ 4294901760 ], 2 times Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Value Name: [ MaxFileSize ], Value: [ 1048576 ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion ], Value Name: [ DigitalProductId ], Value: [ 0xa40000000300000037363438372d3634302d313435373233362d32333833 ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ], Value Name: [ Debugger ], Value: [ drwtsn32 -p %ld -e %ld -g ], 4 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ midimapper ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.iac2 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.imaadpcm ], Value: [ imaadp32.acm ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.l3acm ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msadpcm ], Value: [ ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msaudio1 ], Value: [ ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msg711 ], Value: [ ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msg723 ], Value: [ ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msgsm610 ], Value: [ ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.sl_anet ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.trspch ], Value: [ ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.I420 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.M261 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.M263 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.cvid ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iv31 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iv32 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iv41 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iv50 ], Value: [ ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iyuv ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.mrle ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.msvc ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.uyvy ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.yuy2 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.yvu9 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.yvyu ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ wavemapper ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ], Value Name: [ AllUsersProfile ], Value: [ All Users ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ], Value Name: [ DefaultUserProfile ], Value: [ Default User ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ], Value Name: [ ProfilesDirectory ], Value: [ %SystemDrive%\Documents and Settings ], 4 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-842925246-1425521274-308236825-500 ], Value Name: [ ProfileImagePath ], Value: [ %SystemDrive%\Documents and Settings\Administrator ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], Value Name: [ CommonFilesDir ], Value: [ C:\Program Files\Common Files ], 3 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], Value Name: [ ProgramFilesDir ], Value: [ C:\Program Files ], 3 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Common AppData ], Value: [ %ALLUSERSPROFILE%\Application Data ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], Value Name: [ ComputerName ], Value: [ PC ], 5 times Key: [ HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm ], Value Name: [ wheel ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ], Value Name: [ ProductType ], Value: [ WinNT ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ ComSpec ], Value: [ %SystemRoot%\system32\cmd.exe ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ FP_NO_HOST_CHECK ], Value: [ NO ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ NUMBER_OF_PROCESSORS ], Value: [ 1 ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ OS ], Value: [ Windows_NT ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ PATHEXT ], Value: [ .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ PROCESSOR_ARCHITECTURE ], Value: [ x86 ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ PROCESSOR_IDENTIFIER ], Value: [ x86 Family 6 Model 3 Stepping 3, GenuineIntel ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ PROCESSOR_LEVEL ], Value: [ 6 ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ PROCESSOR_REVISION ], Value: [ 0303 ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ Path ], Value: [ %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ TEMP ], Value: [ %SystemRoot%\TEMP ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ TMP ], Value: [ %SystemRoot%\TEMP ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ windir ], Value: [ %SystemRoot% ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time Key: [ HKLM\System\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Environment ], Value Name: [ TEMP ], Value: [ %USERPROFILE%\Local Settings\Temp ], 4 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Environment ], Value Name: [ TMP ], Value: [ %USERPROFILE%\Local Settings\Temp ], 4 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], Value Name: [ Language Hotkey ], Value: [ 1 ], 6 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], Value Name: [ Layout Hotkey ], Value: [ 2 ], 6 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], Value Name: [ EnableHttp1_1 ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], Value Name: [ EnableNegotiate ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], Value Name: [ MimeExclusionListForCache ], Value: [ multipart/mixed multipart/x-mixed-replace multipart/x-byteranges ], 4 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], Value Name: [ WarnOnPost ], Value: [ 0x01000000 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Explorer\Settings ], Value Name: [ Anchor Color ], Value: [ 0,0,255 ], 4 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Multimedia\Audio ], Value Name: [ SystemFormats ], Value: [ CD Quality,Radio Quality,Telephone Quality ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ], Value Name: [ ParseAutoexec ], Value: [ 1 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ AppData ], Value: [ %USERPROFILE%\Application Data ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Cache ], Value: [ %USERPROFILE%\Local Settings\Temporary Internet Files ], 3 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Cookies ], Value: [ %USERPROFILE%\Cookies ], 3 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ History ], Value: [ %USERPROFILE%\Local Settings\History ], 3 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache ], Value Name: [ Signature ], Value: [ Client UrlCache MMF Ver 5.2 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ], Value Name: [ CacheLimit ], Value: [ 163410 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ], Value Name: [ CachePrefix ], Value: [ ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ], Value Name: [ PerUserItem ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ], Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ], Value Name: [ CachePrefix ], Value: [ Cookie: ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ], Value Name: [ PerUserItem ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ], Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ], Value Name: [ CacheOptions ], Value: [ 11 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ], Value Name: [ CachePath ], Value: [ %USERPROFILE%\Local Settings\History\History.IE5\MSHist012011021720110218\ ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ], Value Name: [ CachePrefix ], Value: [ :2011021720110218: ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ], Value Name: [ CacheRepair ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ], Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ], Value Name: [ CacheOptions ], Value: [ 11 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ], Value Name: [ CachePath ], Value: [ %USERPROFILE%\Local Settings\History\History.IE5\MSHist012011021820110219\ ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ], Value Name: [ CachePrefix ], Value: [ :2011021820110219: ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ], Value Name: [ CacheRepair ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ], Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ], Value Name: [ CachePrefix ], Value: [ Visited: ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ], Value Name: [ PerUserItem ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ], Value Name: [ MigrateProxy ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ], Value Name: [ ProxyEnable ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ], Value Name: [ DefaultConnectionSettings ], Value: [ 0x3c0000000300000001000000000000000000000000000000040000000000 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ], Value Name: [ SavedLegacySettings ], Value: [ 0x3c0000001500000001000000000000000000000000000000040000000000 ], 4 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], Value Name: [ APPDATA ], Value: [ C:\Documents and Settings\Administrator\Application Data ], 4 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], Value Name: [ CLIENTNAME ], Value: [ Console ], 4 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], Value Name: [ HOMEDRIVE ], Value: [ C: ], 4 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], Value Name: [ HOMEPATH ], Value: [ \Documents and Settings\Administrator ], 4 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], Value Name: [ HOMESHARE ], Value: [ ], 4 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], Value Name: [ LOGONSERVER ], Value: [ \\PC ], 4 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], Value Name: [ SESSIONNAME ], Value: [ Console ], 4 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Monitored Registry Keys: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Watch subtree: [ 0 ], Notify Filter: [ Attributes Change,Value Change,Security Descriptor Change ], 2 times [=============================================================================] 3.b) dwwin.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Deleted: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7080C.dmp ] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bd15_appcompat.txt ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7080C.dmp ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\57138338.exe ] File Name: [ C:\WINDOWS\win.ini ] File Name: [ PIPE\lsarpc ] File Name: [ c:\autoexec.bat ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7080C.dmp ] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ C:\WINDOWS\system32 ], Control Code: [ 0x00090028 ], 1 time File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 16 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\57138338.exe ] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7080C.dmp ] File Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ] File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ] File Name: [ C:\WINDOWS\WindowsShell.Manifest ] File Name: [ C:\WINDOWS\system32\1033\dwintl.dll ] File Name: [ C:\WINDOWS\system32\ADVAPI32.dll ] File Name: [ C:\WINDOWS\system32\Apphelp.dll ] File Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ] File Name: [ C:\WINDOWS\system32\COMCTL32.DLL ] File Name: [ C:\WINDOWS\system32\COMCTL32.dll ] File Name: [ C:\WINDOWS\system32\COMRes.dll ] File Name: [ C:\WINDOWS\system32\CRYPT32.dll ] File Name: [ C:\WINDOWS\system32\GDI32.dll ] File Name: [ C:\WINDOWS\system32\MSACM32.dll ] File Name: [ C:\WINDOWS\system32\MSASN1.dll ] File Name: [ C:\WINDOWS\system32\MSCTF.dll ] File Name: [ C:\WINDOWS\system32\NETAPI32.dll ] File Name: [ C:\WINDOWS\system32\OLEAUT32.dll ] File Name: [ C:\WINDOWS\system32\PSAPI.DLL ] File Name: [ C:\WINDOWS\system32\RASAPI32.DLL ] File Name: [ C:\WINDOWS\system32\RPCRT4.dll ] File Name: [ C:\WINDOWS\system32\SETUPAPI.dll ] File Name: [ C:\WINDOWS\system32\SHELL32.DLL ] File Name: [ C:\WINDOWS\system32\SHELL32.dll ] File Name: [ C:\WINDOWS\system32\SHLWAPI.dll ] File Name: [ C:\WINDOWS\system32\Secur32.dll ] File Name: [ C:\WINDOWS\system32\ShimEng.dll ] File Name: [ C:\WINDOWS\system32\TAPI32.dll ] File Name: [ C:\WINDOWS\system32\URLMON.DLL ] File Name: [ C:\WINDOWS\system32\USER32.dll ] File Name: [ C:\WINDOWS\system32\USERENV.dll ] File Name: [ C:\WINDOWS\system32\UxTheme.dll ] File Name: [ C:\WINDOWS\system32\VERSION.dll ] File Name: [ C:\WINDOWS\system32\WININET.DLL ] File Name: [ C:\WINDOWS\system32\WININET.dll ] File Name: [ C:\WINDOWS\system32\WINMM.dll ] File Name: [ C:\WINDOWS\system32\WINSTA.dll ] File Name: [ C:\WINDOWS\system32\WS2HELP.dll ] File Name: [ C:\WINDOWS\system32\WS2_32.dll ] File Name: [ C:\WINDOWS\system32\WTSAPI32.dll ] File Name: [ C:\WINDOWS\system32\comdlg32.dll ] File Name: [ C:\WINDOWS\system32\faultrep.dll ] File Name: [ C:\WINDOWS\system32\imm32.dll ] File Name: [ C:\WINDOWS\system32\kernel32.dll ] File Name: [ C:\WINDOWS\system32\msvcrt.dll ] File Name: [ C:\WINDOWS\system32\ntdll.dll ] File Name: [ C:\WINDOWS\system32\ole32.dll ] File Name: [ C:\WINDOWS\system32\rasman.dll ] File Name: [ C:\WINDOWS\system32\riched20.dll ] File Name: [ C:\WINDOWS\system32\rtutils.dll ] File Name: [ C:\WINDOWS\system32\sensapi.dll ] File Name: [ C:\WINDOWS\system32\shfolder.dll ] File Name: [ C:\WINDOWS\system32\xpsp2res.dll ] File Name: [ C:\Windows\AppPatch\sysmain.sdb ] [=============================================================================] 3.c) dwwin.exe - Process Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\57138338.exe ] [#############################################################################] 4. drwtsn32.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Started by 57138338.exe Filename: drwtsn32.exe MD5: c9f5e1de6da983e89e714ed80c11f000 SHA-1: 1717b633478fb107d3c26344f710328b93ae550c File Size: 45568 Bytes Command Line: C:\WINDOWS\system32\drwtsn32 -p 1192 -e 368 -g Process-status at analysis end: dead Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\dbgeng.dll ], Base Address: [0x6D590000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\DBGHELP.dll ], Base Address: [0x59A60000 ], Size: [0x000A1000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ], Base Address: [0x6F880000 ], Size: [0x001CA000 ] Module Name: [ C:\WINDOWS\system32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\MSACM32.dll ], Base Address: [0x77BE0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\UxTheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntsdexts.dll ], Base Address: [0x5F170000 ], Size: [0x0000C000 ] Module Name: [ C:\WINDOWS\system32\exts.dll ], Base Address: [0x69480000 ], Size: [0x00022000 ] Module Name: [ C:\WINDOWS\system32\psapi.dll ], Base Address: [0x76BF0000 ], Size: [0x0000B000 ] [=============================================================================] 4.a) drwtsn32.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Common AppData ], New Value: [ C:\Documents and Settings\All Users\Application Data ] Key: [ HKLM\software\microsoft\DrWatson ], Value Name: [ NumberOfCrashes ], New Value: [ 1 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ], Value Name: [ Identifier ], Value: [ x86 Family 6 Model 3 Stepping 3 ], 1 time Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion ], Value Name: [ CurrentBuildNumber ], Value: [ 2600 ], 1 time Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion ], Value Name: [ CurrentType ], Value: [ Uniprocessor Free ], 1 time Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion ], Value Name: [ RegisteredOrganization ], Value: [ TU Wien, Campuslizenz ], 1 time Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion ], Value Name: [ RegisteredOwner ], Value: [ Ihr Benutzername ], 1 time Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Windows ], Value Name: [ CSDVersion ], Value: [ 768 ], 1 time Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time Key: [ HKLM\SYSTEM\WPA\MediaCenter ], Value Name: [ Installed ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000204000014000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000001100000014000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000550000001e000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000200000032000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000120000006001000016000000610100001c000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], Value Name: [ cFormatTags ], Value: [ 3 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], Value Name: [ aFormatTagCache ], Value: [ 0x010000001000000006000000120000000700000012000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], Value Name: [ cFormatTags ], Value: [ 3 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000420000001c000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003100000014000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003001000016000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000002200000032000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion ], Value Name: [ CurrentType ], Value: [ Uniprocessor Free ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ midimapper ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.iac2 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.imaadpcm ], Value: [ ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.l3acm ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msadpcm ], Value: [ ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msaudio1 ], Value: [ ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msg711 ], Value: [ ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msg723 ], Value: [ msg723.acm ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msgsm610 ], Value: [ ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.sl_anet ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.trspch ], Value: [ tssoft32.acm ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.I420 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.M261 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.M263 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.cvid ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iv31 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iv32 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iv41 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iv50 ], Value: [ ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iyuv ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.mrle ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.msvc ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.uyvy ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.yuy2 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.yvu9 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.yvyu ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ wavemapper ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Common AppData ], Value: [ %ALLUSERSPROFILE%\Application Data ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], Value Name: [ ComputerName ], Value: [ PC ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm ], Value Name: [ wheel ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ], Value Name: [ ProductType ], Value: [ WinNT ], 1 time Key: [ HKLM\software\microsoft\DrWatson ], Value Name: [ AppendToLogFile ], Value: [ 1 ], 1 time Key: [ HKLM\software\microsoft\DrWatson ], Value Name: [ CrashDumpType ], Value: [ 1 ], 1 time Key: [ HKLM\software\microsoft\DrWatson ], Value Name: [ CreateCrashDump ], Value: [ 1 ], 1 time Key: [ HKLM\software\microsoft\DrWatson ], Value Name: [ DumpAllThreads ], Value: [ 1 ], 1 time Key: [ HKLM\software\microsoft\DrWatson ], Value Name: [ DumpSymbols ], Value: [ 0 ], 1 time Key: [ HKLM\software\microsoft\DrWatson ], Value Name: [ Instructions ], Value: [ 10 ], 1 time Key: [ HKLM\software\microsoft\DrWatson ], Value Name: [ MaximumCrashes ], Value: [ 10 ], 1 time Key: [ HKLM\software\microsoft\DrWatson ], Value Name: [ NumberOfCrashes ], Value: [ 0 ], 2 times Key: [ HKLM\software\microsoft\DrWatson ], Value Name: [ SoundNotification ], Value: [ 0 ], 1 time Key: [ HKLM\software\microsoft\DrWatson ], Value Name: [ VisualNotification ], Value: [ 0 ], 1 time Key: [ HKLM\software\microsoft\DrWatson ], Value Name: [ WaveFile ], Value: [ ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Multimedia\Audio ], Value Name: [ SystemFormats ], Value: [ CD Quality,Radio Quality,Telephone Quality ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time [=============================================================================] 4.b) drwtsn32.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson ] File Name: [ C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log ] File Name: [ C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\57138338.exe ] File Name: [ C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log ] File Name: [ C:\WINDOWS\system32\xpsp2res.dll ] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log ] File Name: [ C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp ] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Directories Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Directory: [ C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 3 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\57138338.exe ] File Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ] File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ] File Name: [ C:\WINDOWS\WindowsShell.Manifest ] File Name: [ C:\WINDOWS\system32\ADVAPI32.dll ] File Name: [ C:\WINDOWS\system32\Apphelp.dll ] File Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ] File Name: [ C:\WINDOWS\system32\COMCTL32.dll ] File Name: [ C:\WINDOWS\system32\COMRes.dll ] File Name: [ C:\WINDOWS\system32\CRYPT32.dll ] File Name: [ C:\WINDOWS\system32\DBGHELP.dll ] File Name: [ C:\WINDOWS\system32\GDI32.dll ] File Name: [ C:\WINDOWS\system32\MSACM32.dll ] File Name: [ C:\WINDOWS\system32\MSASN1.dll ] File Name: [ C:\WINDOWS\system32\OLEAUT32.dll ] File Name: [ C:\WINDOWS\system32\RPCRT4.dll ] File Name: [ C:\WINDOWS\system32\SHELL32.dll ] File Name: [ C:\WINDOWS\system32\SHLWAPI.dll ] File Name: [ C:\WINDOWS\system32\Secur32.dll ] File Name: [ C:\WINDOWS\system32\ShimEng.dll ] File Name: [ C:\WINDOWS\system32\USER32.dll ] File Name: [ C:\WINDOWS\system32\UxTheme.dll ] File Name: [ C:\WINDOWS\system32\VERSION.dll ] File Name: [ C:\WINDOWS\system32\WININET.dll ] File Name: [ C:\WINDOWS\system32\WINMM.dll ] File Name: [ C:\WINDOWS\system32\comctl32.dll ] File Name: [ C:\WINDOWS\system32\comdlg32.dll ] File Name: [ C:\WINDOWS\system32\dbgeng.dll ] File Name: [ C:\WINDOWS\system32\exts.dll ] File Name: [ C:\WINDOWS\system32\kernel32.dll ] File Name: [ C:\WINDOWS\system32\msvcrt.dll ] File Name: [ C:\WINDOWS\system32\ntdll.dll ] File Name: [ C:\WINDOWS\system32\ntsdexts.dll ] File Name: [ C:\WINDOWS\system32\ole32.dll ] File Name: [ C:\WINDOWS\system32\psapi.dll ] File Name: [ C:\WINDOWS\system32\xpsp2res.dll ] File Name: [ C:\Windows\AppPatch\sysmain.sdb ] [=============================================================================] 4.c) drwtsn32.exe - Process Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Processes Killed: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\57138338.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Remote Threads Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Affected Process: [ C:\57138338.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\57138338.exe ] Process: [ C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe ] Process: [ C:\Program Files\Common Files\srityptye.exe ] Process: [ C:\Program Files\Common Files\zrmuvjbv.exe ] Process: [ C:\Program Files\Messenger\msmsgs.exe ] Process: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe ] Process: [ C:\WINDOWS\explorer.exe ] Process: [ C:\WINDOWS\system32\alg.exe ] Process: [ C:\WINDOWS\system32\csrss.exe ] Process: [ C:\WINDOWS\system32\ctfmon.exe ] Process: [ C:\WINDOWS\system32\drwtsn32.exe ] Process: [ C:\WINDOWS\system32\lsass.exe ] Process: [ C:\WINDOWS\system32\services.exe ] Process: [ C:\WINDOWS\system32\smss.exe ] Process: [ C:\WINDOWS\system32\spoolsv.exe ] Process: [ C:\WINDOWS\system32\svchost.exe ] Process: [ C:\WINDOWS\system32\wbem\wmiprvse.exe ] Process: [ C:\WINDOWS\system32\winlogon.exe ] Process: [ C:\WINDOWS\system32\wscntfy.exe ] Process: [ C:\WINDOWS\system32\wuauclt.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Written: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\57138338.exe ] [#############################################################################] International Secure Systems Lab http://www.iseclab.org Vienna University of Technology Eurecom France UC Santa Barbara http://www.tuwien.ac.at http://www.eurecom.fr http://www.cs.ucsb.edu Contact: anubis@iseclab.org