Analysis Summary:

Analysis Date 11/23/2006 12:52:14 AM
Sandbox Version 1.89
Filename5180967fce9493771ee828e786d5bac2.exe

Technical Details:

Analysis Number 1
Parent ID0
Process ID344
Filename c:\temp\5180967fce9493771ee828e786d5bac2.exe
Filesize1214282 bytes
MD55180967fce9493771ee828e786d5bac2
Start ReasonAnalysisTarget
Termination ReasonNormalTermination
Start Time00:00.079
Stop Time03:01.079
Detection - (Authentium Command Antivirus - EngVer: 4.92.123.35 - SigVer: 20061115 35)
- (BitDefender Antivirus - EngVer: 7.0.0.2311 - SigVer: 7.09951)
- (CounterSpy - EngVer: 2.1.628.0 - SigVer: 449)
- (Microsoft Malware Protection - EngVer: 1.1.1609.0 - SigVer: Wed Nov 15 11:21:34 2006)
- (Norton AntiVirus - EngVer: 20061.3.0.12 - SigVer: 20061115 13:15:28)
DLL-Handling
Loaded DLLs
c:\temp\5180967fce9493771ee828e786d5bac2.exe
C:\WINDOWS\System32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\MSVCRT.DLL
C:\WINDOWS\system32\OLE32.DLL
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1612_x-ww_7c379b08\
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\System32\wsock32.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\WS2HELP.dll
C:\WINDOWS\System32\Wship6.dll
C:\WINDOWS\System32\iphlpapi.dll
C:\WINDOWS\System32\pstorec.dll
C:\WINDOWS\System32\ATL.DLL
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\System32\DNSAPI.dll
C:\WINDOWS\System32\winrnr.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\System32\Secur32.dll
.\UxTheme.dll
UxTheme.dll
USER32.dll
Filesystem
New Files
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-4EADP.tmp\is-7LFS3.tmp - Stored: 1284fa24636c5337a9211d0a110a456e.tmp
Opened Files
c:\temp\5180967fce9493771ee828e786d5bac2.exe - Stored:
\SystemRoot\AppPatch\sysmain.sdb - Stored:
\SystemRoot\AppPatch\systest.sdb - Stored:
\Device\NamedPipe\ShimViewer - Stored:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-4EADP.tmp\is-7LFS3.tmp - Stored:
Deleted Files
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-4EADP.tmp\is-7LFS3.tmp
Chronological order
Open File: c:\temp\5180967fce9493771ee828e786d5bac2.exe (OPEN_EXISTING)
Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-4EADP.tmp Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-4EADP.tmp\is-7LFS3.tmp Flags: (SECURITY_ANONYMOUS)
Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-4EADP.tmp\is-7LFS3.tmp
Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-4EADP.tmp\is-7LFS3.tmp ()
Find File: is-7LFS3.tmp
Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-4EADP.tmp\is-7LFS3.tmp
Registry
Process Management Creates Process - Filename () CommandLine: ("C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-4EADP.tmp\is-7LFS3.tmp" /SL4 $4F011C c:\temp\5180967fce9493771ee828e786d5bac2.exe 990305 50688 ) As User: () Creation Flags: ()
Kill Process - Filename () CommandLine: () Target PID: (344) As User: () Creation Flags: ()
System Info Get System Time
Window Enum Windows
Destroy Window - Class Name (Static) Window Name (InnoSetupLdrWindow)

The following process was started by process: 1
Analysis Number 2
Parent ID1
Process ID280
Filename C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-4EADP.tmp\is-7LFS3.tmp /SL4 $4F011C c:\temp\5180967fce9493771ee828e786d5bac2.exe 990305 50688
Filesize586240 bytes
MD51284fa24636c5337a9211d0a110a456e
Start ReasonCreateProcess
Termination ReasonTimeout
Start Time00:02.422
Stop Time03:00.954
Detection - (Authentium Command Antivirus - EngVer: 4.92.123.35 - SigVer: 20061115 35)
- (BitDefender Antivirus - EngVer: 7.0.0.2311 - SigVer: 7.09951)
- (CounterSpy - EngVer: 2.1.628.0 - SigVer: 449)
- (Microsoft Malware Protection - EngVer: 1.1.1609.0 - SigVer: Wed Nov 15 11:21:34 2006)
- (Norton AntiVirus - EngVer: 20061.3.0.12 - SigVer: 20061115 13:15:28)
DLL-Handling
Loaded DLLs
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-4EADP.tmp\is-7LFS3.tmp
C:\WINDOWS\System32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\MSVCRT.DLL
C:\WINDOWS\system32\OLE32.DLL
C:\WINDOWS\system32\mpr.dll
C:\WINDOWS\system32\version.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1612_x-ww_7c379b08\
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\shell32.dll
C:\WINDOWS\system32\comdlg32.dll
C:\WINDOWS\System32\wsock32.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\WS2HELP.dll
C:\WINDOWS\System32\Wship6.dll
C:\WINDOWS\System32\iphlpapi.dll
C:\WINDOWS\System32\pstorec.dll
C:\WINDOWS\System32\ATL.DLL
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\System32\DNSAPI.dll
C:\WINDOWS\System32\winrnr.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\System32\Secur32.dll
.\UxTheme.dll
uxtheme.dll
shell32.dll
shfolder.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-2T35R.tmp\siminstwiz.dll
ole32.dll
RICHED20.DLL
Filesystem
New Files
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-2T35R.tmp\_shfoldr.dll - Stored: 92dc6ef532fbb4a5c3201469a5b5eb63.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-2T35R.tmp\siminstwiz.dll - Stored: c4bc207cf5dcf528d6108d59dfe83e61.dll
Opened Files
c:\temp\5180967fce9493771ee828e786d5bac2.exe - Stored:
\\.\PIPE\lsarpc - Stored:
\\.\PIPE\ntsvcs - Stored:
Chronological order
Open File: c:\temp\5180967fce9493771ee828e786d5bac2.exe (OPEN_EXISTING)
Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-2T35R.tmp Flags: (SECURITY_ANONYMOUS)
Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-2T35R.tmp\_shfoldr.dll
Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-2T35R.tmp\siminstwiz.dll
Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-2T35R.tmp\siminstwiz.dll
Set File Time: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-2T35R.tmp\siminstwiz.dll
Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Open File: \\.\PIPE\ntsvcs (OPEN_EXISTING)
Get File Attributes: C:\Documents and Settings\Administrator\Start Menu\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\Administrator\Start Menu\Programs\desktop.ini Flags: (SECURITY_ANONYMOUS)
INI Files
Read INI File
C:\Documents and Settings\Administrator\Start Menu\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\Administrator\Start Menu\desktop.ini [.ShellClassInfo] LocalizedResourceName =
C:\Documents and Settings\Administrator\Start Menu\Programs\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\Administrator\Start Menu\Programs\desktop.ini [.ShellClassInfo] LocalizedResourceName =
C:\Documents and Settings\Administrator\Start Menu\Programs\desktop.ini [.ShellClassInfo] IconFile =
WIN.INI [windows] ScrollInset =
WIN.INI [windows] DragDelay =
WIN.INI [windows] DragMinDist =
WIN.INI [windows] ScrollDelay =
WIN.INI [windows] ScrollInterval =
WIN.INI [richedit30] flags =
Registry
Reads
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion "ProgramFilesDir"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion "CommonFilesDir"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion "RegisteredOwner"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion "RegisteredOrganization"
System Info Get System Directory
Get Windows Directory
Get System Time
Window Enum Windows
Destroy Window - Class Name (TWizardForm) Window Name (Setup - Kiwi Alpha)

Report generated at 11/23/2006 12:52:14 AM with CWSandbox Version 1.89
This analysis was created by the CWSandbox Copyright � 2006 Carsten Willems
Copyright � 1996-2006 Sunbelt Software. All rights reserved.