CWSandbox Analysis report for file: c:\PostalGusanito.exe @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Processes 1 (c:\PostalGusanito.exe MD5: [30ccf558ea5d08e830942f9cb4a03e26], PID 2612, User: Administrator) @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ============================================================================== COM ============================================================================== COM Create Instance: C:\WINDOWS\system32\msvbvm60.dll, ProgID: (), Interface ID: ({00000000-0000-0000-C000-000000000046}) COM Create Instance: C:\WINDOWS\system32\msvbvm60.dll, ProgID: (), Interface ID: ({4495AD01-C993-11D1-A3E4-00A0C90AEA82}) COM Create Instance: C:\WINDOWS\system32\msvbvm60.dll, ProgID: (), Interface ID: ({7FD52380-4E07-101B-AE2D-08002B2EC713}) COM Create Instance: C:\WINDOWS\system32\msvbvm60.dll, ProgID: (), Interface ID: ({37D84F60-42CB-11CE-8135-00AA004BB851}) ============================================================================== DLL-Handling ============================================================================== Loaded DLL - DLL: (C:\WINDOWS\system32\ntdll.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\kernel32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\MSVBVM60.DLL) Loaded DLL - DLL: (C:\WINDOWS\system32\USER32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\GDI32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\ADVAPI32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\RPCRT4.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\Secur32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\ole32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\msvcrt.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\OLEAUT32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\IMM32.DLL) Loaded DLL - DLL: (C:\WINDOWS\system32\pstorec.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\ATL.DLL) Loaded DLL - DLL: (C:\WINDOWS\system32\VB6DE.DLL) Loaded DLL - DLL: (C:\WINDOWS\system32\VB6ES.DLL) Loaded DLL - DLL: (C:\WINDOWS\system32\uxtheme.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\SXS.DLL) Loaded DLL - DLL: (C:\WINDOWS\system32\version.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\msctfime.ime) Loaded DLL - DLL: (C:\WINDOWS\system32\msctfime.ime) Loaded DLL - DLL: (C:\WINDOWS\system32\MSCTF.dll) Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () ============================================================================== Filesystem Changes ============================================================================== Open File: C:\WINDOWS\Registration\R000000000007.clb (OPEN_EXISTING), (FILE_ANY_ACCESS), (FILE_SHARE_READ), (SECURITY_ANONYMOUS) Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\WINDOWS\system32\.HLP Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\WINDOWS\Help\.HLP Flags: (SECURITY_ANONYMOUS) ============================================================================== INI Files ============================================================================== Read from INI file: WINHELP.INI [FILES] .HLP = ============================================================================== Mutex Changes ============================================================================== Creates Mutex: CTF.LBES.MutexDefaultS-1-5-21-583907252-1708537768-842925246-500 Creates Mutex: CTF.Compart.MutexDefaultS-1-5-21-583907252-1708537768-842925246-500 Creates Mutex: CTF.Asm.MutexDefaultS-1-5-21-583907252-1708537768-842925246-500 Creates Mutex: CTF.Layouts.MutexDefaultS-1-5-21-583907252-1708537768-842925246-500 Creates Mutex: CTF.TMD.MutexDefaultS-1-5-21-583907252-1708537768-842925246-500 Creates Mutex: CTF.TimListCache.FMPDefaultS-1-5-21-583907252-1708537768-842925246-500MUTEX.DefaultS-1-5-21-583907252 ============================================================================== Registry Changes ============================================================================== Create or Open: Registry Changes: Registry Reads: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared\ "" HKEY_CURRENT_USER\Keyboard Layout\Toggle\ "" HKEY_CURRENT_USER\Keyboard Layout\Toggle\ "" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\ "" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM\ "" HKEY_CURRENT_USER\Software\Microsoft\CTF\ "" Registry Enums: ============================================================================== Process Management ============================================================================== Creates Process - Filename () CommandLine: (c:\PostalGusanito.exe) Target PID: (2772) As User: () Creation Flags: (CREATE_SUSPENDED) Kill Process - Filename () CommandLine: () Target PID: (2612) As User: () Creation Flags: () ============================================================================ System ============================================================================== Sleep - Milliseconds (0) ============================================================================== System Info ============================================================================== Get System Directory Get Windows Directory ============================================================================== Threads ============================================================================== ============================================================================== Virtual Memory ============================================================================== VM Allocate - Target: (2772) Address: ($00400000) Size: (118784) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT MEM_RESERVE) VM Protect - Target: (2772) Address: ($00400000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: () VM Protect - Target: (2772) Address: ($00400000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: () VM Protect - Target: (2772) Address: ($00401000) Size: (90112) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: () VM Protect - Target: (2772) Address: ($00417000) Size: (8192) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: () VM Protect - Target: (2772) Address: ($00417000) Size: (8192) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: () VM Protect - Target: (2772) Address: ($00419000) Size: (12288) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: () VM Protect - Target: (2772) Address: ($00419000) Size: (12288) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: () VM Protect - Target: (2772) Address: ($7FFDF000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: () VM Protect - Target: (2772) Address: ($7FFDF000) Size: (4096) Protect: (PAGE_READWRITE) Allocation Type: () VM Write - Target: (2772) Address: ($00400000) Size: (1024) Protect: () Allocation Type: () VM Write - Target: (2772) Address: ($00401000) Size: (90112) Protect: () Allocation Type: () VM Write - Target: (2772) Address: ($00417000) Size: (7168) Protect: () Allocation Type: () VM Write - Target: (2772) Address: ($00419000) Size: (9728) Protect: () Allocation Type: () VM Write - Target: (2772) Address: ($7FFDF008) Size: (4) Protect: () Allocation Type: () ============================================================================== Window ============================================================================== Enum Windows Destroy Window - Class Name (ThunderRT6Main) Window Name (Stub) Destroy Window - Class Name () Window Name () Destroy Window - Class Name (VBMsoStdCompMgr) Window Name () @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Processes 2 (C:\WINDOWS\system32\svchost.exe MD5: [4fbc75b74479c7a6f829e0ca19df3366], PID 980, User: SYSTEM) @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ============================================================================== DLL-Handling ============================================================================== Loaded DLL - DLL: (C:\WINDOWS\system32\ntdll.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\kernel32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\ADVAPI32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\RPCRT4.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\Secur32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\ShimEng.dll) Loaded DLL - DLL: (C:\WINDOWS\AppPatch\AcGenral.DLL) Loaded DLL - DLL: (C:\WINDOWS\system32\USER32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\GDI32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\WINMM.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\ole32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\msvcrt.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\OLEAUT32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\MSACM32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\VERSION.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\SHELL32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\SHLWAPI.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\USERENV.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\UxTheme.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\IMM32.DLL) Loaded DLL - DLL: (C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\) Loaded DLL - DLL: (C:\WINDOWS\system32\comctl32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\NTMARTA.DLL) Loaded DLL - DLL: (C:\WINDOWS\system32\SAMLIB.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\WLDAP32.dll) Loaded DLL - DLL: (c:\windows\system32\rpcss.dll) Loaded DLL - DLL: (c:\windows\system32\WS2_32.dll) Loaded DLL - DLL: (c:\windows\system32\WS2HELP.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\xpsp2res.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\CLBCATQ.DLL) Loaded DLL - DLL: (C:\WINDOWS\system32\COMRes.dll) Loaded DLL - DLL: (c:\windows\system32\termsrv.dll) Loaded DLL - DLL: (c:\windows\system32\ICAAPI.dll) Loaded DLL - DLL: (c:\windows\system32\SETUPAPI.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\WINTRUST.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\CRYPT32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\MSASN1.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\IMAGEHLP.dll) Loaded DLL - DLL: (c:\windows\system32\AUTHZ.dll) Loaded DLL - DLL: (c:\windows\system32\mstlsapi.dll) Loaded DLL - DLL: (c:\windows\system32\ACTIVEDS.dll) Loaded DLL - DLL: (c:\windows\system32\adsldpc.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\NETAPI32.dll) Loaded DLL - DLL: (c:\windows\system32\ATL.DLL) Loaded DLL - DLL: (C:\WINDOWS\system32\REGAPI.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\rsaenh.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\Apphelp.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\pstorec.dll) Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Processes 3 (c:\PostalGusanito.exe MD5: [30ccf558ea5d08e830942f9cb4a03e26], PID 2772, User: Administrator) @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ============================================================================== DLL-Handling ============================================================================== Loaded DLL - DLL: (C:\WINDOWS\system32\ntdll.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\kernel32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\user32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\GDI32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\advapi32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\RPCRT4.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\Secur32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\oleaut32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\msvcrt.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\ole32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\IMM32.DLL) Loaded DLL - DLL: (C:\WINDOWS\system32\pstorec.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\ATL.DLL) Loaded DLL - DLL: (C:\WINDOWS\system32\ws2_32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\wininet.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\shell32.dll) Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () ============================================================================== Filesystem Changes ============================================================================== Create File: C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\Desktop.ini Set File Attributes: C:\RECYCLER Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS) Set File Attributes: C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728 Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS) ============================================================================== Registry Changes ============================================================================== Create or Open: Registry Changes: Registry Reads: Registry Enums: ============================================================================== Process Management ============================================================================== Kill Process - Filename () CommandLine: () Target PID: (2772) As User: () Creation Flags: () Enum Processes Enum Modules - Target PID: (2772) Open Process - Filename () CommandLine: () Target PID: (1704) As User: () Creation Flags: () Open Process - Filename () CommandLine: () Target PID: (4) As User: () Creation Flags: () ============================================================================ System ============================================================================== Sleep - Milliseconds (1) Sleep - Milliseconds (500) Sleep - Milliseconds (2000) ============================================================================== System Info ============================================================================== Get System Directory Get System Time ============================================================================== Threads ============================================================================== Create Thread - Target PID (2772) Thread ID (2808) Thread ID ($77DC848A) Parameter Address ($00000000) Creation Flags () Create Remote Thread - Target PID (1704) Thread ID (2812) Thread ID ($01E51A80) Parameter Address ($01E60000) Creation Flags (CREATE_SUSPENDED) ============================================================================== User Management ============================================================================== Get User Name ============================================================================== Virtual Memory ============================================================================== VM Allocate - Target: (1704) Address: ($01670000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT) VM Allocate - Target: (1704) Address: ($01D70000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT) VM Allocate - Target: (1704) Address: ($01E40000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT) VM Allocate - Target: (1704) Address: ($01E50000) Size: (65536) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT) VM Allocate - Target: (1704) Address: ($01E60000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT) VM Allocate - Target: (1704) Address: ($02A10000) Size: (1048576) Protect: (PAGE_READWRITE) Allocation Type: (MEM_RESERVE) VM Allocate - Target: (1704) Address: ($02AEF000) Size: (135168) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT) VM Allocate - Target: (4) Address: ($00040000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT) VM Allocate - Target: (4) Address: ($00050000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT) VM Allocate - Target: (4) Address: ($00170000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT) VM Allocate - Target: (4) Address: ($00180000) Size: (1048576) Protect: (PAGE_READWRITE) Allocation Type: (MEM_RESERVE) VM Allocate - Target: (4) Address: ($0025F000) Size: (135168) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT) VM Protect - Target: (2772) Address: ($44200000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: () VM Protect - Target: (2772) Address: ($44200000) Size: (4096) Protect: (PAGE_EXECUTE_READ) Allocation Type: () VM Protect - Target: (2772) Address: ($4424A000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: () VM Protect - Target: (2772) Address: ($4424A000) Size: (4096) Protect: (PAGE_EXECUTE_READ) Allocation Type: () VM Protect - Target: (2772) Address: ($441F4000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: () VM Protect - Target: (2772) Address: ($441F4000) Size: (4096) Protect: (PAGE_EXECUTE_READ) Allocation Type: () VM Protect - Target: (2772) Address: ($441F5000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: () VM Protect - Target: (2772) Address: ($441F5000) Size: (4096) Protect: (PAGE_EXECUTE_READ) Allocation Type: () VM Protect - Target: (2772) Address: ($441F4000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: () VM Protect - Target: (2772) Address: ($441F4000) Size: (4096) Protect: (PAGE_EXECUTE_READ) Allocation Type: () VM Protect - Target: (2772) Address: ($441F5000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: () VM Protect - Target: (2772) Address: ($441F5000) Size: (4096) Protect: (PAGE_EXECUTE_READ) Allocation Type: () VM Protect - Target: (2772) Address: ($7E774000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: () VM Protect - Target: (2772) Address: ($7E774000) Size: (4096) Protect: (PAGE_EXECUTE_READ) Allocation Type: () VM Protect - Target: (2772) Address: ($7E6F1000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: () VM Protect - Target: (2772) Address: ($7E6F1000) Size: (4096) Protect: (PAGE_EXECUTE_READ) Allocation Type: () VM Protect - Target: (2772) Address: ($7E765000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: () VM Protect - Target: (2772) Address: ($7E765000) Size: (4096) Protect: (PAGE_EXECUTE_READ) Allocation Type: () VM Protect - Target: (2772) Address: ($7E6B9000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: () VM Protect - Target: (2772) Address: ($7E6B9000) Size: (4096) Protect: (PAGE_EXECUTE_READ) Allocation Type: () VM Protect - Target: (2772) Address: ($7E6F0000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: () VM Protect - Target: (2772) Address: ($7E6F0000) Size: (4096) Protect: (PAGE_EXECUTE_READ) Allocation Type: () VM Protect - Target: (1704) Address: ($02AEF000) Size: (4096) Protect: (PAGE_READWRITE PAGE_GUARD) Allocation Type: () VM Protect - Target: (4) Address: ($0025F000) Size: (4096) Protect: (PAGE_READWRITE PAGE_GUARD) Allocation Type: () VM Write - Target: (1704) Address: ($01670000) Size: (3566) Protect: () Allocation Type: () VM Write - Target: (1704) Address: ($01D70000) Size: (2280) Protect: () Allocation Type: () VM Write - Target: (1704) Address: ($01E40000) Size: (576) Protect: () Allocation Type: () VM Write - Target: (1704) Address: ($01E50000) Size: (64730) Protect: () Allocation Type: () VM Write - Target: (1704) Address: ($01E60000) Size: (1732) Protect: () Allocation Type: () VM Write - Target: (4) Address: ($00040000) Size: (256) Protect: () Allocation Type: () VM Write - Target: (4) Address: ($00050000) Size: (284) Protect: () Allocation Type: () VM Write - Target: (4) Address: ($00170000) Size: (256) Protect: () Allocation Type: () @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Processes 4 (C:\WINDOWS\Explorer.EXE MD5: [418045a93cd87a352098ab7dabe1b53e], PID 1704, User: Administrator) @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ============================================================================== DLL-Handling ============================================================================== Loaded DLL - DLL: (C:\WINDOWS\system32\ntdll.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\kernel32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\ADVAPI32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\RPCRT4.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\Secur32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\BROWSEUI.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\GDI32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\USER32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\msvcrt.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\ole32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\SHLWAPI.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\OLEAUT32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\SHDOCVW.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\CRYPT32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\MSASN1.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\CRYPTUI.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\NETAPI32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\VERSION.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\WININET.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\Normaliz.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\iertutil.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\WINTRUST.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\IMAGEHLP.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\WLDAP32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\SHELL32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\UxTheme.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\ShimEng.dll) Loaded DLL - DLL: (C:\WINDOWS\AppPatch\AcGenral.DLL) Loaded DLL - DLL: (C:\WINDOWS\system32\WINMM.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\MSACM32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\USERENV.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\IMM32.DLL) Loaded DLL - DLL: (C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\) Loaded DLL - DLL: (C:\WINDOWS\system32\comctl32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\msctfime.ime) Loaded DLL - DLL: (C:\WINDOWS\system32\appHelp.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\CLBCATQ.DLL) Loaded DLL - DLL: (C:\WINDOWS\system32\COMRes.dll) Loaded DLL - DLL: (C:\WINDOWS\System32\cscui.dll) Loaded DLL - DLL: (C:\WINDOWS\System32\CSCDLL.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\themeui.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\MSIMG32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\xpsp2res.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\ACTXPRXY.DLL) Loaded DLL - DLL: (C:\WINDOWS\system32\msutb.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\MSCTF.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\SAMLIB.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\ieframe.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\PSAPI.DLL) Loaded DLL - DLL: (C:\WINDOWS\system32\urlmon.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\LINKINFO.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\ntshrui.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\ATL.DLL) Loaded DLL - DLL: (C:\WINDOWS\system32\mshtml.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\msls31.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\SETUPAPI.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\ws2_32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\WS2HELP.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\RASAPI32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\rasman.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\TAPI32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\rtutils.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\NETSHELL.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\credui.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\dot3api.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\dot3dlg.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\OneX.DLL) Loaded DLL - DLL: (C:\WINDOWS\system32\WTSAPI32.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\WINSTA.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\eappcfg.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\MSVCP60.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\eappprxy.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\iphlpapi.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\rsaenh.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\msimtf.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\webcheck.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\stobject.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\BatMeter.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\POWRPROF.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\WPDShServiceObj.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\WINHTTP.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\mydocs.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\PortableDeviceTypes.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\PortableDeviceApi.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\msv1_0.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\sensapi.dll) Loaded DLL - DLL: (C:\WINDOWS\system32\pstorec.dll) Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () Loaded DLL - DLL: () ============================================================================== Filesystem Changes ============================================================================== Copy File: c:\PostalGusanito.exe to C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\xpupdate.exe Open File: \\.\PIPE\lsarpc (OPEN_EXISTING), (FILE_ANY_ACCESS), (FILE_SHARE_READ FILE_SHARE_WRITE), (SECURITY_ANONYMOUS) Create/Open File: C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\xpupdate.exe (OPEN_ALWAYS), (FILE_ANY_ACCESS), (FILE_SHARE_READ), (SECURITY_ANONYMOUS) Create/Open File: C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\Desktop.ini (OPEN_ALWAYS), (FILE_ANY_ACCESS), (FILE_SHARE_READ), (SECURITY_ANONYMOUS) Create/Open File: \Device\RasAcd (OPEN_ALWAYS), (FILE_ANY_ACCESS FILE_READ_ACCESS FILE_READ_DATA FILE_LIST_DIRECTORY FILE_WRITE_ACCESS FILE_WRITE_DATA FILE_ADD_FILE), (FILE_SHARE_READ FILE_SHARE_WRITE), (FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS) Create NamedPipe: \\.\pipe\roo000uuattt Set File Attributes: C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\xpupdate.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS) ============================================================================== Mutex Changes ============================================================================== Creates Mutex: roo000uuaaat ============================================================================== Registry Changes ============================================================================== Create or Open: Registry Changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ "" = (C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\xpupdate.exe) Registry Reads: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ "" HKEY_CURRENT_USER\Software\Microsoft\CTF\ "" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared\ "" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService\ "" Registry Enums: ============================================================================ System ============================================================================== Sleep - Milliseconds (10000) Sleep - Milliseconds (10) ============================================================================== User Management ============================================================================== Get User Name ============================================================================== Virtual Memory ============================================================================== VM Protect - Target: (1704) Address: ($719D4000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: () VM Protect - Target: (1704) Address: ($719D4000) Size: (4096) Protect: (PAGE_EXECUTE_READ) Allocation Type: () ============================================================================== Window ============================================================================== ============================================================================== Winsock ============================================================================== @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Processes 5 (C:\WINDOWS\system32\services.exe MD5: [a3edbe9053889fb24ab22492472b39dc], PID 792, User: SYSTEM) @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Report generated at 30.07.2009 08:29:08 with CWSandbox Version 2.1.12 This analysis was created by the CWSandbox Copyright 2006 Carsten Willems Copyright 1996-2006 Sunbelt Software. All rights reserved.