Download Link: hxxp://hotcoupling.net/video/VideoCodecSetup.exe File Name: VideoCodecSetup.exe File size: 51712 bytes MD5...: 78637a6baa9ba0f9b36541c50805406d SHA1..: a3c2c6fcc1ae4ee0d9316d24a1747703bb2925b8 SHA256: 161e0126d5cef0ada7c2691b1f4150ed6fafece72131e7ed05c4503c928bb0f6 SHA512: e3bc316c6545524fda2cdae07fe985eb5cb35882f2d7709fd10d3f5d648f8b94 a7e331b798b498cb58d42a0b8c71fa8072b444777a4f8ea4d5bbda2510074f36 VirusTotal Result: 1/32 (3.13%) Kaspersky 7.0.0.125 2008.04.08 not-a-virus:AdWare.Win32.Agent.bhi Log data Address Message 00400000 Module VideoCodecSetup.exe 7C800000 Module C:\WINDOWS\system32\kernel32.dll 7C900000 Module C:\WINDOWS\system32\ntdll.dll 004011BD Program entry point Executable modules Base Size Entry Name File version Path 00400000 00025000 004011BD VideoCod :\VideoCodecSetup.exe 7C800000 000F4000 7C80B436 kernel32 5.1.2600.2180 (x C:\WINDOWS\system32\kernel32.dll 7C900000 000B0000 7C913156 ntdll 5.1.2600.2180 (x C:\WINDOWS\system32\ntdll.dll Number of Imported Modules = 1 (decimal) Import Module 001: kernel32.dll Addr:00001048 hint(003E) Name: LoadLibraryA Addr:00001057 hint(00EF) Name: GetConsoleMode Addr:00001068 hint(0092) Name: FindFirstFileA Number of Objects = 0002 (dec), Imagebase = 00400000h Object01: .text RVA: 00001000 Offset: 00000600 Size: 00000A00 Flags: 60000020 MD5: 23e2d4ceaca9d87b5dd33d74577a2e70 Object02: .data RVA: 00002000 Offset: 00001000 Size: 0000BA00 Flags: 40000040 MD5: 66d145943f857eeb7a00eb2dd0fa5a08 Process Details: File System Activities: Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Open File: C:\WINDOWS\system32\op_uid.dll (OPEN_EXISTING) Create File: C:\WINDOWS\system32\op_uid.dll Create File: C:\WINDOWS\system32\upc.exe Open File: C:\WINDOWS\system32\user32.dll (OPEN_EXISTING) Open File: C:\WINDOWS\system32\op_uid.dll (OPEN_EXISTING) Set File Time: C:\WINDOWS\system32\op_uid.dll Open File: C:\WINDOWS\system32\upc.exe (OPEN_EXISTING) Set File Time: C:\WINDOWS\system32\upc.exe Open File: C:\WINDOWS\system32\upc.exe (OPEN_EXISTING) Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\bdcb_appcompat.txt Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\bdcb_appcompat.txt Find File: C:\WINDOWS\system32\* Open File: C:\WINDOWS\system32\advapi32.dll () Find File: advapi32.dll Open File: C:\WINDOWS\system32\advapi32.dll (OPEN_EXISTING) Open File: C:\WINDOWS\system32\gdi32.dll () Find File: gdi32.dll Open File: C:\WINDOWS\system32\gdi32.dll (OPEN_EXISTING) Open File: C:\WINDOWS\system32\kernel32.dll () Find File: kernel32.dll Open File: C:\WINDOWS\system32\kernel32.dll (OPEN_EXISTING) Open File: C:\WINDOWS\system32\ntdll.dll () Find File: ntdll.dll Open File: C:\WINDOWS\system32\ntdll.dll (OPEN_EXISTING) Open File: C:\WINDOWS\system32\ole32.dll () Find File: ole32.dll Open File: C:\WINDOWS\system32\ole32.dll (OPEN_EXISTING) Open File: C:\WINDOWS\system32\oleaut32.dll () Find File: oleaut32.dll Open File: C:\WINDOWS\system32\oleaut32.dll (OPEN_EXISTING) Open File: C:\WINDOWS\system32\shell32.dll () Find File: shell32.dll Open File: C:\WINDOWS\system32\shell32.dll (OPEN_EXISTING) Open File: C:\WINDOWS\system32\user32.dll () Find File: user32.dll Open File: C:\WINDOWS\system32\user32.dll (OPEN_EXISTING) Open File: C:\WINDOWS\system32\wininet.dll () Find File: wininet.dll Open File: C:\WINDOWS\system32\wininet.dll (OPEN_EXISTING) Open File: C:\WINDOWS\system32\winsock.dll () Find File: winsock.dll Open File: C:\WINDOWS\system32\winsock.dll (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\WINDOWS\system32\dwwin.exe () Find File: dwwin.exe Registry Changes: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPS "ImagePath" = C:\WINDOWS\system32\upc.exe HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPS "Start" = [REG_DWORD, value: 00000002] HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPS "Type" = [REG_DWORD, value: 00000110] HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPS "ObjectName" = LocalSystem Registry Reads: HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "DoReport" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "ShowUI" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "AllOrNone" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "IncludeMicrosoftApps" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "IncludeWindowsApps" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "DoTextLog" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "IncludeKernelFaults" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "IncludeShutdownErrs" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "NumberOfFaultPipes" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "NumberOfHangPipes" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "MaxUserQueueSize" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "ForceQueueMode" HKEY_LOCAL_MACHINE\System\Setup "SystemSetupInProgress" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting\ExclusionList "file.exe" HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" Process Management: Creates Process - Filename () CommandLine: (C:\WINDOWS\system32\dwwin.exe -x -s 2908) As User: () Creation Flags: (CREATE_DEFAULT_ERROR_MODE) Open Process - Filename (C:\WINDOWS\system32\csrss.exe) Target PID: (620) System Info: Get System Directory Get Windows Directory Enum Handles Process Started: Process ID 316 Filename C:\WINDOWS\system32\dwwin.exe -x -s 2908 Filesize 180224 bytes MD5 7c25440617eee6f69709aa8c915d2c32 Start Reason CreateProcess File System Activities: Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\C469.dmp Open File: \\.\PIPE\ROUTER (OPEN_EXISTING) Create/Open File: \Device\Tcp (OPEN_ALWAYS) Create/Open File: \Device\Ip (OPEN_ALWAYS) Create/Open File: \Device\Ip (OPEN_ALWAYS) Open File: \\.\Ip (OPEN_EXISTING) Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Get File Attributes: c:\autoexec.bat Flags: (SECURITY_ANONYMOUS) Open File: c:\autoexec.bat (OPEN_EXISTING) Find File: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk Find File: C:\WINDOWS\system32\Ras\*.pbk Find File: C:\Documents and Settings\Sandbox\Application Data\Microsoft\Network\Connections\Pbk\*.pbk Read INI File: WIN.INI [windows] ScrollInset = WIN.INI [windows] DragDelay = WIN.INI [windows] DragMinDist = WIN.INI [windows] ScrollDelay = WIN.INI [windows] ScrollInterval = WIN.INI [richedit30] flags = Mutexes: Creates Mutex: RasPbFile Registry Reads: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion "DigitalProductId" HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings "Anchor Color" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug "Debugger" HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "10" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders "SecurityProviders" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Name" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Comment" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Capabilities" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "RpcId" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Version" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Type" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "TokenSize" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Name" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Comment" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Capabilities" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "RpcId" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Version" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Type" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "TokenSize" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Name" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Comment" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Capabilities" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "RpcId" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Version" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Type" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "TokenSize" Service Management: Open Service Manager - Name: "SCM" Open Service - Name: "RASMAN"