Embed Size (px)
DESCRIPTION
description about blend.exe
Citation preview
Anubis - Analysis Report
I n t e r n a t i o n a l S e c u r e S y s t e m s L a b V i e n n a U n i v e r s i t y o f T e c h n o l o g y , E u r e c o m F r a n c e , U C S a n t a B a r b a r a
C o n t a c t : a n u b i s @ i s e c l a b . o r g
Analysis Report for 0026246716MD5: c3c026387e06c403f403694b9939e146
Summary:
Description Risk
Write to foreign memory areas: This executable tampers with the execution of another process.
high
Packed Binary: This executable is protected with a packer in order to prevent it from being reverseengineered.
medium
Autostart capabilities: This executable registers processes to be executed at system start. This couldresult in unwanted actions to be performed automatically.
medium
Changes security settings of Internet Explorer: This system alteration could seriously affect safetysurfing the World Wide Web.
low
Spawns Processes: The executable produces processes during the execution.
low
Execution did not terminate correctly: The executable crashed.
medium
Performs Registry Activities: The executable creates and/or modifies registry entries.
low
Dependency overview:
0026246716.exe C:\0026246716.exe
Analysis reason: Primary Analysis Subject
ENCRIP~1.EXE C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\ENCRIP~1.EXE
Analysis reason: Started by 0026246716.exe
dwwin.exe C:\WINDOWS\system32\dwwin.exe
Analysis reason: Started by ENCRIP~1.EXE
drwtsn32.exe C:\WINDOWS\system32\drwtsn32.exe
Analysis reason: Started by ENCRIP~1.EXE
Blend.exe Blend.exe
Analysis reason: Started by 0026246716.exe
Table of Contents:
1. General Information.............................................................................................................................................................................................. 42. 0026246716.exe....................................................................................................................................................................................................4
a) Registry Activities............................................................................................................................................................................................. 4b) File Activities.................................................................................................................................................................................................... 6c) Process Activities............................................................................................................................................................................................. 7
3. ENCRIP~1.EXE.....................................................................................................................................................................................................7a) Registry Activities............................................................................................................................................................................................. 8b) File Activities.................................................................................................................................................................................................. 10c) Process Activities........................................................................................................................................................................................... 10d) Other Activities............................................................................................................................................................................................... 11
4. dwwin.exe............................................................................................................................................................................................................11a) Registry Activities........................................................................................................................................................................................... 12b) File Activities.................................................................................................................................................................................................. 19c) Process Activities........................................................................................................................................................................................... 20d) Other Activities............................................................................................................................................................................................... 20
5. drwtsn32.exe....................................................................................................................................................................................................... 20a) Registry Activities........................................................................................................................................................................................... 21b) File Activities.................................................................................................................................................................................................. 24c) Process Activities........................................................................................................................................................................................... 25d) Other Activities............................................................................................................................................................................................... 26
6. Blend.exe............................................................................................................................................................................................................ 26a) Registry Activities........................................................................................................................................................................................... 26b) File Activities.................................................................................................................................................................................................. 26
Analysis Report for 0026246716 - submitted on 08/22/11, 05:12:47 UTC
http://anubis.iseclab.org/ Page 4 of 27
1. General Information
Information about Anubis' invocation
Time needed: 259 s
Report created: 08/22/11, 05:12:47 UTC
Termination reason: Timeout
Program version: 1.75.3394
2. 0026246716.exe
General information about this executable
Analysis Reason: Primary Analysis Subject
Filename: 0026246716.exe
MD5: c3c026387e06c403f403694b9939e146
SHA-1: dd085f7ef399c6255f96a3f828cefa6870bf89be
File Size: 669184
Command Line: "C:\0026246716.exe"
Process-status at analysis end: alive
Exit Code: 0
Load-time Dlls
Module Name Base Address Size
C:\WINDOWS\system32\ntdll.dll 0x7C900000 0x000AF000
C:\WINDOWS\system32\kernel32.dll 0x7C800000 0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll 0x77DD0000 0x0009B000
C:\WINDOWS\system32\RPCRT4.dll 0x77E70000 0x00092000
C:\WINDOWS\system32\Secur32.dll 0x77FE0000 0x00011000
C:\WINDOWS\system32\GDI32.dll 0x77F10000 0x00049000
C:\WINDOWS\system32\USER32.dll 0x7E410000 0x00091000
C:\WINDOWS\system32\COMCTL32.dll 0x5D090000 0x0009A000
C:\WINDOWS\system32\VERSION.dll 0x77C00000 0x00008000
Run-time Dlls
Module Name Base Address Size
C:\WINDOWS\system32\feclient.dll 0x693F0000 0x00009000
C:\WINDOWS\system32\MPR.dll 0x71B20000 0x00012000
C:\WINDOWS\system32\advpack.dll 0x75260000 0x00029000
C:\WINDOWS\system32\USERENV.dll 0x769C0000 0x000B4000
C:\WINDOWS\system32\ole32.dll 0x774E0000 0x0013D000
C:\WINDOWS\system32\CRYPT32.dll 0x77A80000 0x00095000
C:\WINDOWS\system32\MSASN1.dll 0x77B20000 0x00012000
C:\WINDOWS\system32\Apphelp.dll 0x77B40000 0x00022000
C:\WINDOWS\system32\msvcrt.dll 0x77C10000 0x00058000
SigBuster Output
Microsoft_CAB vna SN:206
2.a) 0026246716.exe - Registry Activities
Registry Values Modified:
Key Name New Value
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\"
Analysis Report for 0026246716 - submitted on 08/22/11, 05:12:47 UTC
http://anubis.iseclab.org/ Page 5 of 27
Registry Values Read:
Key Name Value Times
HKLM\SYSTEM\CurrentControlSet\Control\SessionManager
CriticalSectionTimeout 2592000 1
HKLM\SYSTEM\WPA\MediaCenter Installed 0 2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
AuthenticodeEnabled 0 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
DefaultLevel 262144 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
PolicyScope 0 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
TransparentEnabled 1 2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}
HashAlg 32771 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}
ItemData 0x5eab304f957a49896a006c1c31154015 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}
ItemSize 779 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}
SaferFlags 0 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}
HashAlg 32771 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}
ItemData 0x67b0d48b343a3fd3bce9dc646704f394 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}
ItemSize 517 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}
SaferFlags 0 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}
HashAlg 32771 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}
ItemData 0x327802dcfef8c893dc8ab006dd847d1d 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}
ItemSize 918 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}
SaferFlags 0 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}
HashAlg 32771 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}
ItemData 0xbd9a2adb42ebd8560e250e4df8162f67 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}
ItemSize 229 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}
SaferFlags 0 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}
HashAlg 32771 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}
ItemData 0x386b085f84ecf669d36b956a22c01e80 1
Analysis Report for 0026246716 - submitted on 08/22/11, 05:12:47 UTC
http://anubis.iseclab.org/ Page 6 of 27
Registry Values Read:
Key Name Value Times
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}
ItemSize 370 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}
SaferFlags 0 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}
ItemData %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*
1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}
SaferFlags 0 1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName
ComputerName PC 2
HKLM\System\CurrentControlSet\Control\ProductOptions ProductType WinNT 1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
Domain 1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
Hostname pc 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Cache C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Local Settings %USERPROFILE%\Local Settings 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Personal %USERPROFILE%\My Documents 1
Monitored Registry Keys:
Key Name Watch subtree Notify Filter Count
HKLM\system\CurrentControlSet\control\NetworkProvider\HwOrder
0 Value Change 1
2.b) 0026246716.exe - File Activities
Files Created:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\Blend.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\ENCRIP~1.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\TMP4351$.TMP
Files Read:
PIPE\lsarpc
Files Modified:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\Blend.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\ENCRIP~1.EXE
MountPointManager
PIPE\lsarpc
Directories Created:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP
File System Control Communication:
File Control Code Times
C:\Program Files\Common Files\ 0x00090028 1
PIPE\lsarpc 0x0011C017 1
Analysis Report for 0026246716 - submitted on 08/22/11, 05:12:47 UTC
http://anubis.iseclab.org/ Page 7 of 27
Device Control Communication:
File Control Code Times
C: 0x004D0008 1
MountPointManager 0x006D0008 1
\Device\KsecDD 0x00390008 1
Memory Mapped Files:
File Name
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\Blend.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\ENCRIP~1.EXE
C:\WINDOWS\system32\Apphelp.dll
C:\WINDOWS\system32\COMCTL32.dll
C:\WINDOWS\system32\advpack.dll
C:\WINDOWS\system32\feclient.dll
C:\Windows\AppPatch\sysmain.sdb
2.c) 0026246716.exe - Process Activities
Processes Created:
Executable Command Line
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\ENCRIP~1.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\ENCRIP~1.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\Blend.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\Blend.exe
Remote Threads Created:
Affected Process
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\ENCRIP~1.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\Blend.exe
Foreign Memory Regions Read:
Process: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\Blend.exe
Process: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\ENCRIP~1.EXE
Foreign Memory Regions Written:
Process: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\Blend.exe
Process: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\ENCRIP~1.EXE
3. ENCRIP~1.EXE
General information about this executable
Analysis Reason: Started by 0026246716.exe
Filename: ENCRIP~1.EXE
MD5: 54f92577b9b07cd8eecb6cf621ee2ea0
SHA-1: a831e5337ddb03e15a079cc7606b56bb7ea7f583
File Size: 402483
Command Line: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\ENCRIP~1.EXE
Process-status at analysis end: dead
Exit Code: -1073741819
Load-time Dlls
Module Name Base Address Size
C:\WINDOWS\system32\ntdll.dll 0x7C900000 0x000AF000
Analysis Report for 0026246716 - submitted on 08/22/11, 05:12:47 UTC
http://anubis.iseclab.org/ Page 8 of 27
Load-time Dlls
Module Name Base Address Size
C:\WINDOWS\system32\kernel32.dll 0x7C800000 0x000F6000
Run-time Dlls
Module Name Base Address Size
C:\WINDOWS\system32\NETAPI32.dll 0x5B860000 0x00055000
C:\WINDOWS\system32\faultrep.dll 0x69450000 0x00016000
C:\WINDOWS\system32\WINSTA.dll 0x76360000 0x00010000
C:\WINDOWS\system32\USERENV.dll 0x769C0000 0x000B4000
C:\WINDOWS\system32\WTSAPI32.dll 0x76F50000 0x00008000
C:\WINDOWS\system32\SETUPAPI.dll 0x77920000 0x000F3000
C:\WINDOWS\system32\apphelp.dll 0x77B40000 0x00022000
C:\WINDOWS\system32\VERSION.dll 0x77C00000 0x00008000
C:\WINDOWS\system32\msvcrt.dll 0x77C10000 0x00058000
C:\WINDOWS\system32\ADVAPI32.dll 0x77DD0000 0x0009B000
C:\WINDOWS\system32\RPCRT4.dll 0x77E70000 0x00092000
C:\WINDOWS\system32\GDI32.dll 0x77F10000 0x00049000
C:\WINDOWS\system32\SHLWAPI.dll 0x77F60000 0x00076000
C:\WINDOWS\system32\Secur32.dll 0x77FE0000 0x00011000
C:\WINDOWS\system32\USER32.dll 0x7E410000 0x00091000
3.a) ENCRIP~1.EXE - Registry Activities
Registry Values Read:
Key Name Value Times
HKLM\SYSTEM\Setup OsLoaderPath \ 2
HKLM\SYSTEM\Setup SystemPartition \Device\HarddiskVolume1 2
HKLM\SYSTEM\WPA\MediaCenter Installed 0 2
HKLM\Software\Microsoft\PCHealth\ErrorReporting AllOrNone 1 1
HKLM\Software\Microsoft\PCHealth\ErrorReporting DoReport 1 1
HKLM\Software\Microsoft\PCHealth\ErrorReporting IncludeKernelFaults 1 1
HKLM\Software\Microsoft\PCHealth\ErrorReporting IncludeMicrosoftApps 1 1
HKLM\Software\Microsoft\PCHealth\ErrorReporting IncludeWindowsApps 1 1
HKLM\Software\Microsoft\PCHealth\ErrorReporting ShowUI 1 1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
Auto 1 1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
Debugger drwtsn32 -p %ld -e %ld -g 1
HKLM\Software\Microsoft\Windows\CurrentVersion DevicePath %SystemRoot%\inf 1
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup DriverCachePath %SystemRoot%\Driver Cache 2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup LogLevel 0 2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ServicePackCachePathc:\windows\ServicePackFiles\ServicePackCache
2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ServicePackSourcePathD:\ 2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup SourcePath D:\ 2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
AuthenticodeEnabled 0 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
DefaultLevel 262144 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
PolicyScope 0 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
TransparentEnabled 1 2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}
HashAlg 32771 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}
ItemData 0x5eab304f957a49896a006c1c31154015 1
Analysis Report for 0026246716 - submitted on 08/22/11, 05:12:47 UTC
http://anubis.iseclab.org/ Page 9 of 27
Registry Values Read:
Key Name Value Times
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}
ItemSize 779 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}
SaferFlags 0 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}
HashAlg 32771 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}
ItemData 0x67b0d48b343a3fd3bce9dc646704f394 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}
ItemSize 517 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}
SaferFlags 0 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}
HashAlg 32771 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}
ItemData 0x327802dcfef8c893dc8ab006dd847d1d 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}
ItemSize 918 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}
SaferFlags 0 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}
HashAlg 32771 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}
ItemData 0xbd9a2adb42ebd8560e250e4df8162f67 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}
ItemSize 229 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}
SaferFlags 0 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}
HashAlg 32771 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}
ItemData 0x386b085f84ecf669d36b956a22c01e80 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}
ItemSize 370 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}
SaferFlags 0 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}
ItemData %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*
1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}
SaferFlags 0 1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName
ComputerName PC 2
HKLM\System\CurrentControlSet\Control\ProductOptions ProductType WinNT 1
HKLM\System\CurrentControlSet\Control\Terminal Server TSUserEnabled 0 1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
Domain 1
Analysis Report for 0026246716 - submitted on 08/22/11, 05:12:47 UTC
http://anubis.iseclab.org/ Page 10 of 27
Registry Values Read:
Key Name Value Times
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
Hostname pc 1
HKLM\System\Setup SystemSetupInProgress0 2
HKLM\System\WPA\PnP seed 1274198464 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Cache C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Local Settings %USERPROFILE%\Local Settings 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Personal %USERPROFILE%\My Documents 1
3.b) ENCRIP~1.EXE - File Activities
Files Created:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\937e_appcompat.txt
C:\lz32.dll
Files Read:
PIPE\lsarpc
Files Modified:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\937e_appcompat.txt
PIPE\lsarpc
File System Control Communication:
File Control Code Times
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\ 0x00090028 1
PIPE\lsarpc 0x0011C017 6
Device Control Communication:
File Control Code Times
\Device\KsecDD 0x00390008 1
Memory Mapped Files:
File Name
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\Blend.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\ENCRIP~1.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\ENCRIP~1.EXE
C:\WINDOWS\system32\Apphelp.dll
C:\WINDOWS\system32\SETUPAPI.dll
C:\WINDOWS\system32\WINSTA.dll
C:\WINDOWS\system32\WTSAPI32.dll
C:\WINDOWS\system32\apphelp.dll
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\faultrep.dll
C:\WINDOWS\system32\kernel32.dll
C:\Windows\AppPatch\sysmain.sdb
3.c) ENCRIP~1.EXE - Process Activities
Analysis Report for 0026246716 - submitted on 08/22/11, 05:12:47 UTC
http://anubis.iseclab.org/ Page 11 of 27
Processes Created:
Executable Command Line
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe -x -s 160
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32 -p 1200 -e 124 -g
Remote Threads Created:
Affected Process
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\drwtsn32.exe
Foreign Memory Regions Read:
Process: C:\WINDOWS\system32\drwtsn32.exe
Process: C:\WINDOWS\system32\dwwin.exe
Foreign Memory Regions Written:
Process: C:\WINDOWS\system32\drwtsn32.exe
Process: C:\WINDOWS\system32\dwwin.exe
3.d) ENCRIP~1.EXE - Other Activities
Windows SEH exceptions:
Description Times
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at0x40e545
1
4. dwwin.exe
General information about this executable
Analysis Reason: Started by ENCRIP~1.EXE
Filename: dwwin.exe
MD5: 86042f6f6a5287eaf9379c91d0bf72b6
SHA-1: 532bf74e6aead7438aa7264d01759a065410ee68
File Size: 180224
Command Line: C:\WINDOWS\system32\dwwin.exe -x -s 160
Process-status at analysis end: dead
Exit Code: 0
Load-time Dlls
Module Name Base Address Size
C:\WINDOWS\system32\ntdll.dll 0x7C900000 0x000AF000
C:\WINDOWS\system32\kernel32.dll 0x7C800000 0x000F6000
C:\WINDOWS\system32\ADVAPI32.DLL 0x77DD0000 0x0009B000
C:\WINDOWS\system32\RPCRT4.dll 0x77E70000 0x00092000
C:\WINDOWS\system32\Secur32.dll 0x77FE0000 0x00011000
C:\WINDOWS\system32\COMCTL32.DLL 0x5D090000 0x0009A000
C:\WINDOWS\system32\GDI32.dll 0x77F10000 0x00049000
C:\WINDOWS\system32\USER32.dll 0x7E410000 0x00091000
C:\WINDOWS\system32\OLEAUT32.DLL 0x77120000 0x0008B000
C:\WINDOWS\system32\msvcrt.dll 0x77C10000 0x00058000
C:\WINDOWS\system32\ole32.dll 0x774E0000 0x0013D000
C:\WINDOWS\system32\SHELL32.DLL 0x7C9C0000 0x00817000
C:\WINDOWS\system32\SHLWAPI.dll 0x77F60000 0x00076000
C:\WINDOWS\system32\URLMON.DLL 0x7E1E0000 0x000A2000
C:\WINDOWS\system32\VERSION.dll 0x77C00000 0x00008000
Analysis Report for 0026246716 - submitted on 08/22/11, 05:12:47 UTC
http://anubis.iseclab.org/ Page 12 of 27
Load-time Dlls
Module Name Base Address Size
C:\WINDOWS\system32\WININET.DLL 0x771B0000 0x000AA000
C:\WINDOWS\system32\CRYPT32.dll 0x77A80000 0x00095000
C:\WINDOWS\system32\MSASN1.dll 0x77B20000 0x00012000
C:\WINDOWS\system32\ShimEng.dll 0x5CB70000 0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL 0x6F880000 0x001CA000
C:\WINDOWS\system32\WINMM.dll 0x76B40000 0x0002D000
C:\WINDOWS\system32\MSACM32.dll 0x77BE0000 0x00015000
C:\WINDOWS\system32\USERENV.dll 0x769C0000 0x000B4000
C:\WINDOWS\system32\UxTheme.dll 0x5AD70000 0x00038000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
0x773D0000 0x00103000
Run-time Dlls
Module Name Base Address Size
C:\WINDOWS\system32\1033\dwintl.dll 0x314C0000 0x0000C000
C:\WINDOWS\system32\NETAPI32.dll 0x5B860000 0x00055000
C:\WINDOWS\system32\WS2HELP.dll 0x71AA0000 0x00008000
C:\WINDOWS\system32\WS2_32.dll 0x71AB0000 0x00017000
C:\WINDOWS\system32\sensapi.dll 0x722B0000 0x00005000
C:\WINDOWS\system32\MSCTF.dll 0x74720000 0x0004C000
C:\WINDOWS\system32\riched20.dll 0x74E30000 0x0006D000
C:\WINDOWS\system32\imm32.dll 0x76390000 0x0001D000
C:\WINDOWS\system32\shfolder.dll 0x76780000 0x00009000
C:\WINDOWS\system32\PSAPI.DLL 0x76BF0000 0x0000B000
C:\WINDOWS\system32\rtutils.dll 0x76E80000 0x0000E000
C:\WINDOWS\system32\rasman.dll 0x76E90000 0x00012000
C:\WINDOWS\system32\TAPI32.dll 0x76EB0000 0x0002F000
C:\WINDOWS\system32\RASAPI32.DLL 0x76EE0000 0x0003C000
Popups
Window Name Window Text Screenshot Number of DisplayedTimes
ENCRIP~1.EXE &Don't Send ENCRIP~1.EXE has encountereda problem and needs to close. We are sorryfor the inconvenience. ENCRIP~1.EXE hasencountered a problem and needs to close.We are sorry for the inconvenience. If you werein the middle of something, the informationyou were working on might be lost. Please tellMicrosoft about this problem. We have createdan error report that you can send to us. We willtreat this report as confidential and anonymous.To see what data this error report contains,Details &Send Error Report
1
4.a) dwwin.exe - Registry Activities
Registry Values Modified:
Key Name New Value
HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\InternetSettings
ProxyEnable 0
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders
Common AppData C:\Documents and Settings\All Users\Application Data
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths
Directory C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths
Paths 4
Analysis Report for 0026246716 - submitted on 08/22/11, 05:12:47 UTC
http://anubis.iseclab.org/ Page 13 of 27
Registry Values Modified:
Key Name New Value
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1
CacheLimit 40852
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1
CachePath C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2
CacheLimit 40852
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2
CachePath C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache2
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3
CacheLimit 40852
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3
CachePath C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache3
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4
CacheLimit 40852
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4
CachePath C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
AppData C:\Documents and Settings\Administrator\Application Data
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Cache C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Cookies C:\Documents and Settings\Administrator\Cookies
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
History C:\Documents and Settings\Administrator\Local Settings\History
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Personal C:\Documents and Settings\Administrator\MyDocuments
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings
MigrateProxy 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings
ProxyEnable 0
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings 0x3c00000016000000010000000000000000000000000000000040000000000
Registry Values Read:
Key Name Value Times
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ CUAS 0 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
UrlEncoding 0x00000000 2
HKLM\SYSTEM\CurrentControlSet\Control\SessionManager
CriticalSectionTimeout 2592000 1
HKLM\SYSTEM\Setup SystemSetupInProgress0 1
HKLM\SYSTEM\WPA\MediaCenter Installed 0 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2
aFormatTagCache 0x01000000100000000204000014000000 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2
cFilterTags 0 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2
cFormatTags 2 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2
fdwSupport 1 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm
aFormatTagCache 0x01000000100000001100000014000000 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm
cFilterTags 0 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm
cFormatTags 2 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm
fdwSupport 1 1
Analysis Report for 0026246716 - submitted on 08/22/11, 05:12:47 UTC
http://anubis.iseclab.org/ Page 14 of 27
Registry Values Read:
Key Name Value Times
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm
aFormatTagCache 0x0100000010000000550000001e000000 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm
cFilterTags 0 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm
cFormatTags 2 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm
fdwSupport 1 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm
aFormatTagCache 0x01000000100000000200000032000000 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm
cFilterTags 0 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm
cFormatTags 2 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm
fdwSupport 1 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1
aFormatTagCache 0x010000001200000060010000160000006610100001c000000
1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1
cFilterTags 0 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1
cFormatTags 3 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1
fdwSupport 1 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711
aFormatTagCache 0x0100000010000000060000001200000000700000012000000
1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711
cFilterTags 0 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711
cFormatTags 3 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711
fdwSupport 1 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723
aFormatTagCache 0x0100000010000000420000001c000000 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723
cFilterTags 0 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723
cFormatTags 2 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723
fdwSupport 1 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610
aFormatTagCache 0x01000000100000003100000014000000 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610
cFilterTags 0 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610
cFormatTags 2 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610
fdwSupport 1 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet
aFormatTagCache 0x01000000100000003001000016000000 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet
cFilterTags 0 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet
cFormatTags 2 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet
fdwSupport 1 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch
aFormatTagCache 0x01000000100000002200000032000000 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch
cFilterTags 0 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch
cFormatTags 2 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch
fdwSupport 1 1
Analysis Report for 0026246716 - submitted on 08/22/11, 05:12:47 UTC
http://anubis.iseclab.org/ Page 15 of 27
Registry Values Read:
Key Name Value Times
HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS
* 1 1
HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL
* 1 1
HKLM\Software\Microsoft\Tracing EnableConsoleTracing 0 1
HKLM\Software\Microsoft\Tracing\RASAPI32 ConsoleTracingMask 4294901760 2
HKLM\Software\Microsoft\Tracing\RASAPI32 EnableConsoleTracing 0 2
HKLM\Software\Microsoft\Tracing\RASAPI32 EnableFileTracing 0 2
HKLM\Software\Microsoft\Tracing\RASAPI32 FileDirectory %windir%\tracing 4
HKLM\Software\Microsoft\Tracing\RASAPI32 FileTracingMask 4294901760 2
HKLM\Software\Microsoft\Tracing\RASAPI32 MaxFileSize 1048576 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion DigitalProductId 0xa40000000300000037363438372d36343302d313435373233362d32333833
1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
Debugger drwtsn32 -p %ld -e %ld -g 4
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
midimapper 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
msacm.iac2 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
msacm.imaadpcm imaadp32.acm 3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
msacm.l3acm 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
msacm.msadpcm 3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
msacm.msaudio1 3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
msacm.msg711 3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
msacm.msg723 3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
msacm.msgsm610 3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
msacm.sl_anet 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
msacm.trspch 3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.I420 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.M261 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.M263 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.cvid 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.iv31 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.iv32 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.iv41 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.iv50 1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.iyuv 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.mrle 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.msvc 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.uyvy 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.yuy2 2
Analysis Report for 0026246716 - submitted on 08/22/11, 05:12:47 UTC
http://anubis.iseclab.org/ Page 16 of 27
Registry Values Read:
Key Name Value Times
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.yvu9 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.yvyu 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
wavemapper 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
AllUsersProfile All Users 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile Default User 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
ProfilesDirectory %SystemDrive%\Documents and Settings 4
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ProfileList\S-1-5-21-842925246-1425521274-308236825-500
ProfileImagePath %SystemDrive%\Documents and Settings\Administrator
2
HKLM\Software\Microsoft\Windows\CurrentVersion CommonFilesDir C:\Program Files\Common Files 3
HKLM\Software\Microsoft\Windows\CurrentVersion ProgramFilesDir C:\Program Files 3
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Common AppData %ALLUSERSPROFILE%\Application Data 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
TransparentEnabled 1 1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName
ComputerName PC 5
HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm
wheel 1 1
HKLM\System\CurrentControlSet\Control\ProductOptions ProductType WinNT 1
HKLM\System\CurrentControlSet\Control\SessionManager\Environment
ComSpec %SystemRoot%\system32\cmd.exe 4
HKLM\System\CurrentControlSet\Control\SessionManager\Environment
FP_NO_HOST_CHECKNO 4
HKLM\System\CurrentControlSet\Control\SessionManager\Environment
NUMBER_OF_PROCESSORS1 4
HKLM\System\CurrentControlSet\Control\SessionManager\Environment
OS Windows_NT 4
HKLM\System\CurrentControlSet\Control\SessionManager\Environment
PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;..JSE;.WSF;.WSH
4
HKLM\System\CurrentControlSet\Control\SessionManager\Environment
PROCESSOR_ARCHITECTUREx86 4
HKLM\System\CurrentControlSet\Control\SessionManager\Environment
PROCESSOR_IDENTIFIERx86 Family 6 Model 3 Stepping 3,GenuineIntel
4
HKLM\System\CurrentControlSet\Control\SessionManager\Environment
PROCESSOR_LEVEL 6 4
HKLM\System\CurrentControlSet\Control\SessionManager\Environment
PROCESSOR_REVISION0303 4
HKLM\System\CurrentControlSet\Control\SessionManager\Environment
Path %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
4
HKLM\System\CurrentControlSet\Control\SessionManager\Environment
TEMP %SystemRoot%\TEMP 4
HKLM\System\CurrentControlSet\Control\SessionManager\Environment
TMP %SystemRoot%\TEMP 4
HKLM\System\CurrentControlSet\Control\SessionManager\Environment
windir %SystemRoot% 4
HKLM\System\CurrentControlSet\Control\Terminal Server TSUserEnabled 0 1
HKLM\System\Setup SystemSetupInProgress0 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Environment
TEMP %USERPROFILE%\Local Settings\Temp 4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Environment
TMP %USERPROFILE%\Local Settings\Temp 4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle
Language Hotkey 1 6
HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle
Layout Hotkey 2 6
Analysis Report for 0026246716 - submitted on 08/22/11, 05:12:47 UTC
http://anubis.iseclab.org/ Page 17 of 27
Registry Values Read:
Key Name Value Times
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings
EnableHttp1_1 1 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings
EnableNegotiate 1 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings
MimeExclusionListForCachemultipart/mixed multipart/x-mixed-replacemultipart/x-byteranges
4
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings
WarnOnPost 0x01000000 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Explorer\Settings
Anchor Color 0,0,255 4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Multimedia\Audio
SystemFormats CD Quality,Radio Quality,Telephone Quality 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
ParseAutoexec 1 2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
AppData %USERPROFILE%\Application Data 2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Cache %USERPROFILE%\Local Settings\Temporary Internet Files
3
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Cookies %USERPROFILE%\Cookies 3
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
History %USERPROFILE%\Local Settings\History 3
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Local Settings %USERPROFILE%\Local Settings 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Personal %USERPROFILE%\My Documents 2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\5.0\Cache
Signature Client UrlCache MMF Ver 5.2 2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\5.0\Cache\Content
CacheLimit 163410 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\5.0\Cache\Content
CachePrefix 2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\5.0\Cache\Content
PerUserItem 1 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\5.0\Cache\Cookies
CacheLimit 8192 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\5.0\Cache\Cookies
CachePrefix Cookie: 2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\5.0\Cache\Cookies
PerUserItem 1 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218
CacheLimit 8192 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218
CacheOptions 11 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\
CachePath %USERPROFILE%\Local Settings\History\History.IE5\MSHist012011021720110218\
2
Analysis Report for 0026246716 - submitted on 08/22/11, 05:12:47 UTC
http://anubis.iseclab.org/ Page 18 of 27
Registry Values Read:
Key Name Value TimesInternet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218
CachePrefix :2011021720110218: 2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218
CacheRepair 0 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219
CacheLimit 8192 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219
CacheOptions 11 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219
CachePath %USERPROFILE%\Local Settings\History\History.IE5\MSHist012011021820110219\
2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219
CachePrefix :2011021820110219: 2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219
CacheRepair 0 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\5.0\Cache\History
CacheLimit 8192 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\5.0\Cache\History
CachePrefix Visited: 2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\5.0\Cache\History
PerUserItem 1 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\InternetSettings
MigrateProxy 1 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\InternetSettings
ProxyEnable 0 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\InternetSettings\Connections
DefaultConnectionSettings0x3c00000003000000010000000000000000000000000000000040000000000
2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\InternetSettings\Connections
SavedLegacySettings 0x3c00000015000000010000000000000000000000000000000040000000000
4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment
APPDATA C:\Documents and Settings\Administrator\Application Data
4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment
CLIENTNAME Console 4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment
HOMEDRIVE C: 4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment
HOMEPATH \Documents and Settings\Administrator 4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment
HOMESHARE 4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment
LOGONSERVER \\PC 4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment
SESSIONNAME Console 4
Analysis Report for 0026246716 - submitted on 08/22/11, 05:12:47 UTC
http://anubis.iseclab.org/ Page 19 of 27
Monitored Registry Keys:
Key Name Watch subtree Notify Filter Count
HKLM\Software\Microsoft\Tracing\RASAPI32 0 Attributes Change,Value Change,SecurityDescriptor Change
2
4.b) dwwin.exe - File Activities
Files Deleted:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6B50A.dmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\937e_appcompat.txt
Files Created:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6B50A.dmp
Files Read:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\ENCRIP~1.EXE
C:\WINDOWS\win.ini
PIPE\lsarpc
c:\autoexec.bat
Files Modified:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6B50A.dmp
PIPE\lsarpc
File System Control Communication:
File Control Code Times
C:\WINDOWS\system32 0x00090028 1
PIPE\lsarpc 0x0011C017 16
Device Control Communication:
File Control Code Times
\Device\KsecDD 0x00390008 8
Memory Mapped Files:
File Name
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6B50A.dmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\ENCRIP~1.EXE
C:\WINDOWS\AppPatch\AcGenral.DLL
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\system32\1033\dwintl.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\Apphelp.dll
C:\WINDOWS\system32\COMCTL32.DLL
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\MSACM32.dll
C:\WINDOWS\system32\MSCTF.dll
C:\WINDOWS\system32\NETAPI32.dll
C:\WINDOWS\system32\PSAPI.DLL
C:\WINDOWS\system32\RASAPI32.DLL
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\SETUPAPI.dll
C:\WINDOWS\system32\SHELL32.DLL
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\Secur32.dll
Analysis Report for 0026246716 - submitted on 08/22/11, 05:12:47 UTC
http://anubis.iseclab.org/ Page 20 of 27
Memory Mapped Files:
File Name
C:\WINDOWS\system32\ShimEng.dll
C:\WINDOWS\system32\TAPI32.dll
C:\WINDOWS\system32\URLMON.DLL
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\USERENV.dll
C:\WINDOWS\system32\UxTheme.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\system32\WININET.DLL
C:\WINDOWS\system32\WINMM.dll
C:\WINDOWS\system32\WINSTA.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WTSAPI32.dll
C:\WINDOWS\system32\faultrep.dll
C:\WINDOWS\system32\imm32.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\rasman.dll
C:\WINDOWS\system32\riched20.dll
C:\WINDOWS\system32\rtutils.dll
C:\WINDOWS\system32\sensapi.dll
C:\WINDOWS\system32\shfolder.dll
C:\Windows\AppPatch\sysmain.sdb
4.c) dwwin.exe - Process Activities
Foreign Memory Regions Read:
Process: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\ENCRIP~1.EXE
4.d) dwwin.exe - Other Activities
Mutexes Created:
CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500
CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500
CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500
CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500
CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500
CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500
MSCTF.Shared.MUTEX.IFG
SHIMLIB_LOG_MUTEX
ZonesCacheCounterMutex
ZonesCounterMutex
ZonesLockedCacheCounterMutex
Windows SEH exceptions:
Description Times
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at0x7e41d024
1
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at0x7c9122dd
4
5. drwtsn32.exe
Analysis Report for 0026246716 - submitted on 08/22/11, 05:12:47 UTC
http://anubis.iseclab.org/ Page 21 of 27
General information about this executable
Analysis Reason: Started by ENCRIP~1.EXE
Filename: drwtsn32.exe
MD5: c9f5e1de6da983e89e714ed80c11f000
SHA-1: 1717b633478fb107d3c26344f710328b93ae550c
File Size: 45568
Command Line: C:\WINDOWS\system32\drwtsn32 -p 1200 -e 124 -g
Process-status at analysis end: dead
Exit Code: 0
Load-time Dlls
Module Name Base Address Size
C:\WINDOWS\system32\ntdll.dll 0x7C900000 0x000AF000
C:\WINDOWS\system32\kernel32.dll 0x7C800000 0x000F6000
C:\WINDOWS\system32\msvcrt.dll 0x77C10000 0x00058000
C:\WINDOWS\system32\ADVAPI32.dll 0x77DD0000 0x0009B000
C:\WINDOWS\system32\RPCRT4.dll 0x77E70000 0x00092000
C:\WINDOWS\system32\Secur32.dll 0x77FE0000 0x00011000
C:\WINDOWS\system32\GDI32.dll 0x77F10000 0x00049000
C:\WINDOWS\system32\USER32.dll 0x7E410000 0x00091000
C:\WINDOWS\system32\dbgeng.dll 0x6D590000 0x000F6000
C:\WINDOWS\system32\DBGHELP.dll 0x59A60000 0x000A1000
C:\WINDOWS\system32\VERSION.dll 0x77C00000 0x00008000
C:\WINDOWS\system32\ShimEng.dll 0x5CB70000 0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL 0x6F880000 0x001CA000
C:\WINDOWS\system32\WINMM.dll 0x76B40000 0x0002D000
C:\WINDOWS\system32\ole32.dll 0x774E0000 0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll 0x77120000 0x0008B000
C:\WINDOWS\system32\MSACM32.dll 0x77BE0000 0x00015000
C:\WINDOWS\system32\SHELL32.dll 0x7C9C0000 0x00817000
C:\WINDOWS\system32\SHLWAPI.dll 0x77F60000 0x00076000
C:\WINDOWS\system32\USERENV.dll 0x769C0000 0x000B4000
C:\WINDOWS\system32\UxTheme.dll 0x5AD70000 0x00038000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
0x773D0000 0x00103000
C:\WINDOWS\system32\comctl32.dll 0x5D090000 0x0009A000
Run-time Dlls
Module Name Base Address Size
C:\WINDOWS\system32\ntsdexts.dll 0x5F170000 0x0000C000
C:\WINDOWS\system32\exts.dll 0x69480000 0x00022000
C:\WINDOWS\system32\psapi.dll 0x76BF0000 0x0000B000
5.a) drwtsn32.exe - Registry Activities
Registry Values Modified:
Key Name New Value
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders
Common AppData C:\Documents and Settings\All Users\Application Data
HKLM\software\microsoft\DrWatson NumberOfCrashes 1
Registry Values Read:
Key Name Value Times
HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Identifier x86 Family 6 Model 3 Stepping 3 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
CurrentBuildNumber 2600 1
Analysis Report for 0026246716 - submitted on 08/22/11, 05:12:47 UTC
http://anubis.iseclab.org/ Page 22 of 27
Registry Values Read:
Key Name Value Times
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
CurrentType Uniprocessor Free 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
RegisteredOrganizationTU Wien, Campuslizenz 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
RegisteredOwner Ihr Benutzername 1
HKLM\SYSTEM\CurrentControlSet\Control\SessionManager
CriticalSectionTimeout 2592000 1
HKLM\SYSTEM\CurrentControlSet\Control\Windows CSDVersion 768 1
HKLM\SYSTEM\Setup SystemSetupInProgress0 1
HKLM\SYSTEM\WPA\MediaCenter Installed 0 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2
aFormatTagCache 0x01000000100000000204000014000000 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2
cFilterTags 0 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2
cFormatTags 2 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2
fdwSupport 1 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm
aFormatTagCache 0x01000000100000001100000014000000 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm
cFilterTags 0 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm
cFormatTags 2 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm
fdwSupport 1 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm
aFormatTagCache 0x0100000010000000550000001e000000 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm
cFilterTags 0 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm
cFormatTags 2 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm
fdwSupport 1 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm
aFormatTagCache 0x01000000100000000200000032000000 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm
cFilterTags 0 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm
cFormatTags 2 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm
fdwSupport 1 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1
aFormatTagCache 0x010000001200000060010000160000006610100001c000000
1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1
cFilterTags 0 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1
cFormatTags 3 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1
fdwSupport 1 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711
aFormatTagCache 0x0100000010000000060000001200000000700000012000000
1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711
cFilterTags 0 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711
cFormatTags 3 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711
fdwSupport 1 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723
aFormatTagCache 0x0100000010000000420000001c000000 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723
cFilterTags 0 1
Analysis Report for 0026246716 - submitted on 08/22/11, 05:12:47 UTC
http://anubis.iseclab.org/ Page 23 of 27
Registry Values Read:
Key Name Value Times
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723
cFormatTags 2 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723
fdwSupport 1 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610
aFormatTagCache 0x01000000100000003100000014000000 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610
cFilterTags 0 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610
cFormatTags 2 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610
fdwSupport 1 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet
aFormatTagCache 0x01000000100000003001000016000000 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet
cFilterTags 0 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet
cFormatTags 2 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet
fdwSupport 1 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch
aFormatTagCache 0x01000000100000002200000032000000 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch
cFilterTags 0 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch
cFormatTags 2 1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch
fdwSupport 1 1
HKLM\Software\Microsoft\Windows NT\CurrentVersion CurrentType Uniprocessor Free 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
midimapper 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
msacm.iac2 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
msacm.imaadpcm 3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
msacm.l3acm 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
msacm.msadpcm 3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
msacm.msaudio1 3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
msacm.msg711 3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
msacm.msg723 msg723.acm 3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
msacm.msgsm610 3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
msacm.sl_anet 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
msacm.trspch tssoft32.acm 3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.I420 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.M261 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.M263 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.cvid 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.iv31 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.iv32 2
Analysis Report for 0026246716 - submitted on 08/22/11, 05:12:47 UTC
http://anubis.iseclab.org/ Page 24 of 27
Registry Values Read:
Key Name Value Times
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.iv41 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.iv50 1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.iyuv 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.mrle 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.msvc 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.uyvy 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.yuy2 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.yvu9 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
vidc.yvyu 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
wavemapper 2
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Common AppData %ALLUSERSPROFILE%\Application Data 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
TransparentEnabled 1 1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName
ComputerName PC 4
HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm
wheel 1 1
HKLM\System\CurrentControlSet\Control\ProductOptions ProductType WinNT 1
HKLM\software\microsoft\DrWatson AppendToLogFile 1 1
HKLM\software\microsoft\DrWatson CrashDumpType 1 1
HKLM\software\microsoft\DrWatson CreateCrashDump 1 1
HKLM\software\microsoft\DrWatson DumpAllThreads 1 1
HKLM\software\microsoft\DrWatson DumpSymbols 0 1
HKLM\software\microsoft\DrWatson Instructions 10 1
HKLM\software\microsoft\DrWatson MaximumCrashes 10 1
HKLM\software\microsoft\DrWatson NumberOfCrashes 0 2
HKLM\software\microsoft\DrWatson SoundNotification 0 1
HKLM\software\microsoft\DrWatson VisualNotification 0 1
HKLM\software\microsoft\DrWatson WaveFile 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Multimedia\Audio
SystemFormats CD Quality,Radio Quality,Telephone Quality 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Local Settings %USERPROFILE%\Local Settings 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Personal %USERPROFILE%\My Documents 1
5.b) drwtsn32.exe - File Activities
Files Created:
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp
Files Read:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\ENCRIP~1.EXE
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log
PIPE\lsarpc
Analysis Report for 0026246716 - submitted on 08/22/11, 05:12:47 UTC
http://anubis.iseclab.org/ Page 25 of 27
Files Modified:
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp
PIPE\lsarpc
Directories Created:
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson
File System Control Communication:
File Control Code Times
PIPE\lsarpc 0x0011C017 3
Device Control Communication:
File Control Code Times
\Device\KsecDD 0x00390008 8
Memory Mapped Files:
File Name
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\ENCRIP~1.EXE
C:\WINDOWS\AppPatch\AcGenral.DLL
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\Apphelp.dll
C:\WINDOWS\system32\DBGHELP.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\MSACM32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\system32\ShimEng.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\UxTheme.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\system32\WINMM.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\dbgeng.dll
C:\WINDOWS\system32\exts.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\ntsdexts.dll
C:\WINDOWS\system32\psapi.dll
C:\Windows\AppPatch\sysmain.sdb
5.c) drwtsn32.exe - Process Activities
Processes Killed:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\ENCRIP~1.EXE
Remote Threads Created:
Affected Process
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\ENCRIP~1.EXE
Analysis Report for 0026246716 - submitted on 08/22/11, 05:12:47 UTC
http://anubis.iseclab.org/ Page 26 of 27
Foreign Memory Regions Read:
Process: C:\0026246716.exe
Process: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\ENCRIP~1.EXE
Process: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
Process: C:\Program Files\Common Files\imuezq.exe
Process: C:\Program Files\Common Files\qecbps.exe
Process: C:\Program Files\Messenger\msmsgs.exe
Process: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Process: C:\WINDOWS\explorer.exe
Process: C:\WINDOWS\system32\alg.exe
Process: C:\WINDOWS\system32\csrss.exe
Process: C:\WINDOWS\system32\ctfmon.exe
Process: C:\WINDOWS\system32\drwtsn32.exe
Process: C:\WINDOWS\system32\lsass.exe
Process: C:\WINDOWS\system32\services.exe
Process: C:\WINDOWS\system32\smss.exe
Process: C:\WINDOWS\system32\spoolsv.exe
Process: C:\WINDOWS\system32\svchost.exe
Process: C:\WINDOWS\system32\winlogon.exe
Process: C:\WINDOWS\system32\wscntfy.exe
Process: C:\WINDOWS\system32\wuauclt.exe
Foreign Memory Regions Written:
Process: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\ENCRIP~1.EXE
5.d) drwtsn32.exe - Other Activities
Mutexes Created:
SHIMLIB_LOG_MUTEX
Windows SEH exceptions:
Description Times
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at0x7c9122dd
1
6. Blend.exe
General information about this executable
Analysis Reason: Started by 0026246716.exe
Filename: Blend.exe
Process-status at analysis end: alive
Exit Code: 0
Load-time Dlls
Module Name Base Address Size
C:\WINDOWS\system32\ntdll.dll 0x7C900000 0x000AF000
6.a) Blend.exe - Registry Activities
Registry Values Read:
Key Name Value Times
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
TransparentEnabled 1 1
6.b) Blend.exe - File Activities
Analysis Report for 0026246716 - submitted on 08/22/11, 05:12:47 UTC
http://anubis.iseclab.org/ Page 27 of 27
File System Control Communication:
File Control Code Times
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\ 0x00090028 1
Memory Mapped Files:
File Name
C:\WINDOWS\system32\mscoree.dll
