MentalAQW 1.9

[################################################## ###########################]
Analysis Report for 6bf6fe3580b6c808bbf4689753576812
MD5: 6bf6fe3580b6c808bbf4689753576812
[################################################## ###########################]

Summary:
- Performs File Modification and Destruction:
The executable modifiesand destructs files which are not temporary.

- Performs Registry Activities:
The executable reads and modifies registry values. It also creates and
monitors registry keys.

[================================================== ===========================]
Table of Contents
[================================================== ===========================]

- General information
- 6bf6fe3580.exe
a) Registry Activities
b) File Activities


[################################################## ###########################]
1. General Information
[################################################## ###########################]
[================================================== ===========================]
Information about Anubis' invocation
[================================================== ===========================]
Time needed: 401 s
Report created: 10/25/10, 19:40:13 UTC
Termination reason: Timeout
Program version: 1.74.3195


[################################################## ###########################]
2. 6bf6fe3580.exe
[################################################## ###########################]
[================================================== ===========================]
General information about this executable
[================================================== ===========================]
Analysis Reason: Primary Analysis Subject
Filename: 6bf6fe3580.exe
MD5: 6bf6fe3580b6c808bbf4689753576812
SHA-1: 246cc69ffcb80af96b0b88d7a976c4c33ae7165e
File Size: 1019011 Bytes
Command Line: "C:\6bf6fe3580.exe"
Process-status
at analysis end: alive
Exit Code: 0

[================================================== ===========================]
Load-time Dlls
[================================================== ===========================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_65 95b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\gdiplus.dll ],
Base Address: [0x4EC50000 ], Size: [0x001A6000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\USER32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\ole32.dll ],
Base Address: [0x774E0000 ], Size: [0x0013D000 ]
Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\MSVFW32.dll ],
Base Address: [0x75A70000 ], Size: [0x00021000 ]
Module Name: [ C:\WINDOWS\system32\WINMM.dll ],
Base Address: [0x76B40000 ], Size: [0x0002D000 ]
Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],
Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]
Module Name: [ C:\WINDOWS\system32\comdlg32.dll ],
Base Address: [0x763B0000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\WINSPOOL.DRV ],
Base Address: [0x73000000 ], Size: [0x00026000 ]
Module Name: [ C:\WINDOWS\system32\oledlg.dll ],
Base Address: [0x7DF70000 ], Size: [0x00022000 ]
Module Name: [ C:\WINDOWS\system32\OLEPRO32.DLL ],
Base Address: [0x5EDD0000 ], Size: [0x00017000 ]
Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],
Base Address: [0x77120000 ], Size: [0x0008B000 ]
Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
Base Address: [0x77C00000 ], Size: [0x00008000 ]

[================================================== ===========================]
Run-time Dlls
[================================================== ===========================]
Module Name: [ C:\WINDOWS\system32\macromed\flash\flash.ocx ],
Base Address: [0x10000000 ], Size: [0x0018D000 ]
Module Name: [ C:\WINDOWS\system32\UxTheme.dll ],
Base Address: [0x5AD70000 ], Size: [0x00038000 ]
Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ],
Base Address: [0x71AA0000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\WS2_32.dll ],
Base Address: [0x71AB0000 ], Size: [0x00017000 ]
Module Name: [ C:\WINDOWS\system32\WSOCK32.dll ],
Base Address: [0x71AD0000 ], Size: [0x00009000 ]
Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
Base Address: [0x74720000 ], Size: [0x0004C000 ]
Module Name: [ C:\WINDOWS\system32\mlang.dll ],
Base Address: [0x75CF0000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ],
Base Address: [0x76FD0000 ], Size: [0x0007F000 ]
Module Name: [ C:\WINDOWS\system32\COMRes.dll ],
Base Address: [0x77050000 ], Size: [0x000C5000 ]
Module Name: [ C:\WINDOWS\system32\urlmon.dll ],
Base Address: [0x7E1E0000 ], Size: [0x000A2000 ]
Module Name: [ C:\WINDOWS\system32\SXS.DLL ],
Base Address: [0x7E720000 ], Size: [0x000B0000 ]

[================================================== ===========================]
2.a) 6bf6fe3580.exe - Registry Activities
[================================================== ===========================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\Shell Folders ],
Value Name: [ AppData ], New Value: [ C:\Documents and Settings\Administrator\Application Data ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\Shell Folders ],
Value Name: [ Personal ], New Value: [ C:\Documents and Settings\Administrator\My Documents ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SOFTWARE\CLASSES\.SWF ],
Value Name: [ Content Type ], Value: [ application/x-shockwave-flash ], 2 times
Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\INPROCSERVER32 ],
Value Name: [ ], Value: [ C:\WINDOWS\system32\mlang.dll ], 3 times
Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\INPROCSERVER32 ],
Value Name: [ ThreadingModel ], Value: [ Both ], 1 time
Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\INPROCSERVER32 ],
Value Name: [ ], Value: [ C:\WINDOWS\system32\macromed\flash\flash.ocx ], 1 time
Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\INPROCSERVER32 ],
Value Name: [ ThreadingModel ], Value: [ Apartment ], 1 time
Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\MISCSTATUS\1 ],
Value Name: [ ], Value: [ 131473 ], 1 time
Key: [ HKLM\SOFTWARE\CLASSES\TYPELIB\{00020430-0000-0000-C000-000000000046}\2.0\0\WIN32 ],
Value Name: [ ], Value: [ C:\WINDOWS\system32\stdole2.tlb ], 1 time
Key: [ HKLM\SOFTWARE\CLASSES\TYPELIB\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\WIN32 ],
Value Name: [ ], Value: [ C:\WINDOWS\system32\macromed\flash\flash.ocx ], 1 time
Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ],
Value Name: [ CUAS ], Value: [ 0 ], 1 time
Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ],
Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\COM3 ],
Value Name: [ Com+Enabled ], Value: [ 1 ], 2 times
Key: [ HKLM\Software\Microsoft\COM3 ],
Value Name: [ REGDBVersion ], Value: [ 0x0700000000000000 ], 8 times
Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS ],
Value Name: [ * ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PR OTOCOL ],
Value Name: [ * ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\Cod eIdentifiers ],
Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\MediaPropert ies\PrivateProperties\Joystick\Winmm ],
Value Name: [ wheel ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],
Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\User Shell Folders ],
Value Name: [ AppData ], Value: [ %USERPROFILE%\Application Data ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\User Shell Folders ],
Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Monitored Registry Keys:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SOFTWARE\CLASSES\CLSID ],
Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 1 time
Key: [ HKLM\Software\Classes ],
Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 3 times
Key: [ HKLM\Software\Classes\CLSID ],
Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 2 times
Key: [ HKLM\Software\Microsoft\COM3 ],
Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 6 times
Key: [ HKU ],
Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 5 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500_Classes ],
Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 1 time


[================================================== ===========================]
2.b) 6bf6fe3580.exe - File Activities
[================================================== ===========================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Deleted:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\Documents and Settings\Administrator\Application Data\IFViewer\295726340\Scratch\temp.swf ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\Documents and Settings\Administrator\Application Data\IFViewer ]
File Name: [ C:\Documents and Settings\Administrator\Application Data\IFViewer\295726340 ]
File Name: [ C:\Documents and Settings\Administrator\Application Data\IFViewer\295726340\Scratch ]
File Name: [ C:\Documents and Settings\Administrator\Application Data\IFViewer\295726340\Scratch\temp.swf ]
File Name: [ C:\Documents and Settings\Administrator\Application Data\IFViewer\295726340\Workspace ]
File Name: [ C:\Documents and Settings\Administrator\Application Data\IFViewer\295726340\Workspace\FSCommandDLL ]
File Name: [ C:\Documents and Settings\Administrator\Application Data\IFViewer\295726340\Workspace\MentalAQW 1.9.swf ]
File Name: [ C:\Documents and Settings\Administrator\Application Data\IFViewer\295726340\pts.dat ]
File Name: [ C:\Documents and Settings\Administrator\Application Data\IFViewer\295726340\tempArc.arc ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\6bf6fe3580.exe ]
File Name: [ C:\Documents and Settings\Administrator\Application Data\IFViewer\295726340\Scratch\temp.swf ]
File Name: [ C:\Documents and Settings\Administrator\Application Data\IFViewer\295726340\Workspace\MentalAQW 1.9.swf ]
File Name: [ C:\Documents and Settings\Administrator\Application Data\IFViewer\295726340\pts.dat ]
File Name: [ C:\Documents and Settings\Administrator\Application Data\IFViewer\295726340\tempArc.arc ]
File Name: [ C:\WINDOWS\Registration\R000000000007.clb ]
File Name: [ C:\WINDOWS\system32\macromed\flash\flash.ocx ]
File Name: [ C:\WINDOWS\system32\stdole2.tlb ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\Documents and Settings\Administrator\Application Data\IFViewer\295726340\Scratch\temp.swf ]
File Name: [ C:\Documents and Settings\Administrator\Application Data\IFViewer\295726340\Workspace\MentalAQW 1.9.swf ]
File Name: [ C:\Documents and Settings\Administrator\Application Data\IFViewer\295726340\pts.dat ]
File Name: [ C:\Documents and Settings\Administrator\Application Data\IFViewer\295726340\tempArc.arc ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Directories Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Directory: [ C:\Documents and Settings\Administrator\Application Data\IFViewer ]
Directory: [ C:\Documents and Settings\Administrator\Application Data\IFViewer\295726340 ]
Directory: [ C:\Documents and Settings\Administrator\Application Data\IFViewer\295726340\Scratch ]
Directory: [ C:\Documents and Settings\Administrator\Application Data\IFViewer\295726340\Workspace ]
Directory: [ C:\Documents and Settings\Administrator\Application Data\IFViewer\295726340\Workspace\FSCommandDLL ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\6BF6FE~1.EXE ]
File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll ]
File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_65 95b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\gdiplus.dll ]
File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
File Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ]
File Name: [ C:\WINDOWS\system32\COMRes.dll ]
File Name: [ C:\WINDOWS\system32\MSCTF.dll ]
File Name: [ C:\WINDOWS\system32\MSVFW32.dll ]
File Name: [ C:\WINDOWS\system32\OLEPRO32.DLL ]
File Name: [ C:\WINDOWS\system32\SHELL32.dll ]
File Name: [ C:\WINDOWS\system32\SXS.DLL ]
File Name: [ C:\WINDOWS\system32\UxTheme.dll ]
File Name: [ C:\WINDOWS\system32\WINMM.dll ]
File Name: [ C:\WINDOWS\system32\WINSPOOL.DRV ]
File Name: [ C:\WINDOWS\system32\WS2HELP.dll ]
File Name: [ C:\WINDOWS\system32\WS2_32.dll ]
File Name: [ C:\WINDOWS\system32\WSOCK32.dll ]
File Name: [ C:\WINDOWS\system32\imm32.dll ]
File Name: [ C:\WINDOWS\system32\macromed\flash\flash.ocx ]
File Name: [ C:\WINDOWS\system32\mlang.dll ]
File Name: [ C:\WINDOWS\system32\oledlg.dll ]
File Name: [ C:\WINDOWS\system32\rpcss.dll ]
File Name: [ C:\WINDOWS\system32\stdole2.tlb ]
File Name: [ C:\WINDOWS\system32\urlmon.dll ]



[################################################## ###########################]
International Secure Systems Lab
[Only registered and activated users can see links. Click Here To Register...]

Vienna University of Technology Eurecom France UC Santa Barbara
[Only registered and activated users can see links. Click Here To Register...] [Only registered and activated users can see links. Click Here To Register...] [Only registered and activated users can see links. Click Here To Register...]