XML (plain) -
TXT (plain) -
HTML (plain) -
back to sample
CWSandbox Analysis report for file: c:\PostalGusanito.exe
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Processes 1 (c:\PostalGusanito.exe MD5: [30ccf558ea5d08e830942f9cb4a03e26], PID 2612, User: Administrator)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
==============================================================================
COM
==============================================================================
COM Create Instance: C:\WINDOWS\system32\msvbvm60.dll, ProgID: (), Interface ID: ({00000000-0000-0000-C000-000000000046})
COM Create Instance: C:\WINDOWS\system32\msvbvm60.dll, ProgID: (), Interface ID: ({4495AD01-C993-11D1-A3E4-00A0C90AEA82})
COM Create Instance: C:\WINDOWS\system32\msvbvm60.dll, ProgID: (), Interface ID: ({7FD52380-4E07-101B-AE2D-08002B2EC713})
COM Create Instance: C:\WINDOWS\system32\msvbvm60.dll, ProgID: (), Interface ID: ({37D84F60-42CB-11CE-8135-00AA004BB851})
==============================================================================
DLL-Handling
==============================================================================
Loaded DLL - DLL: (C:\WINDOWS\system32\ntdll.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\kernel32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\MSVBVM60.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\USER32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\GDI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ADVAPI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\RPCRT4.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\Secur32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ole32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\msvcrt.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\OLEAUT32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\IMM32.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\pstorec.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ATL.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\VB6DE.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\VB6ES.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\uxtheme.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\SXS.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\version.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\msctfime.ime)
Loaded DLL - DLL: (C:\WINDOWS\system32\msctfime.ime)
Loaded DLL - DLL: (C:\WINDOWS\system32\MSCTF.dll)
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
==============================================================================
Filesystem Changes
==============================================================================
Open File: C:\WINDOWS\Registration\R000000000007.clb (OPEN_EXISTING), (FILE_ANY_ACCESS), (FILE_SHARE_READ), (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\system32\.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Help\.HLP Flags: (SECURITY_ANONYMOUS)
==============================================================================
INI Files
==============================================================================
Read from INI file: WINHELP.INI [FILES] .HLP =
==============================================================================
Mutex Changes
==============================================================================
Creates Mutex: CTF.LBES.MutexDefaultS-1-5-21-583907252-1708537768-842925246-500
Creates Mutex: CTF.Compart.MutexDefaultS-1-5-21-583907252-1708537768-842925246-500
Creates Mutex: CTF.Asm.MutexDefaultS-1-5-21-583907252-1708537768-842925246-500
Creates Mutex: CTF.Layouts.MutexDefaultS-1-5-21-583907252-1708537768-842925246-500
Creates Mutex: CTF.TMD.MutexDefaultS-1-5-21-583907252-1708537768-842925246-500
Creates Mutex: CTF.TimListCache.FMPDefaultS-1-5-21-583907252-1708537768-842925246-500MUTEX.DefaultS-1-5-21-583907252
==============================================================================
Registry Changes
==============================================================================
Create or Open:
Registry Changes:
Registry Reads:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared\ ""
HKEY_CURRENT_USER\Keyboard Layout\Toggle\ ""
HKEY_CURRENT_USER\Keyboard Layout\Toggle\ ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\ ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM\ ""
HKEY_CURRENT_USER\Software\Microsoft\CTF\ ""
Registry Enums:
==============================================================================
Process Management
==============================================================================
Creates Process - Filename () CommandLine: (c:\PostalGusanito.exe) Target PID: (2772) As User: () Creation Flags: (CREATE_SUSPENDED)
Kill Process - Filename () CommandLine: () Target PID: (2612) As User: () Creation Flags: ()
============================================================================
System
==============================================================================
Sleep - Milliseconds (0)
==============================================================================
System Info
==============================================================================
Get System Directory
Get Windows Directory
==============================================================================
Threads
==============================================================================
==============================================================================
Virtual Memory
==============================================================================
VM Allocate - Target: (2772) Address: ($00400000) Size: (118784) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT MEM_RESERVE)
VM Protect - Target: (2772) Address: ($00400000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: ()
VM Protect - Target: (2772) Address: ($00400000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: ()
VM Protect - Target: (2772) Address: ($00401000) Size: (90112) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: ()
VM Protect - Target: (2772) Address: ($00417000) Size: (8192) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: ()
VM Protect - Target: (2772) Address: ($00417000) Size: (8192) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: ()
VM Protect - Target: (2772) Address: ($00419000) Size: (12288) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: ()
VM Protect - Target: (2772) Address: ($00419000) Size: (12288) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: ()
VM Protect - Target: (2772) Address: ($7FFDF000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: ()
VM Protect - Target: (2772) Address: ($7FFDF000) Size: (4096) Protect: (PAGE_READWRITE) Allocation Type: ()
VM Write - Target: (2772) Address: ($00400000) Size: (1024) Protect: () Allocation Type: ()
VM Write - Target: (2772) Address: ($00401000) Size: (90112) Protect: () Allocation Type: ()
VM Write - Target: (2772) Address: ($00417000) Size: (7168) Protect: () Allocation Type: ()
VM Write - Target: (2772) Address: ($00419000) Size: (9728) Protect: () Allocation Type: ()
VM Write - Target: (2772) Address: ($7FFDF008) Size: (4) Protect: () Allocation Type: ()
==============================================================================
Window
==============================================================================
Enum Windows
Destroy Window - Class Name (ThunderRT6Main) Window Name (Stub)
Destroy Window - Class Name () Window Name ()
Destroy Window - Class Name (VBMsoStdCompMgr) Window Name ()
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Processes 2 (C:\WINDOWS\system32\svchost.exe MD5: [4fbc75b74479c7a6f829e0ca19df3366], PID 980, User: SYSTEM)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
==============================================================================
DLL-Handling
==============================================================================
Loaded DLL - DLL: (C:\WINDOWS\system32\ntdll.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\kernel32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ADVAPI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\RPCRT4.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\Secur32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ShimEng.dll)
Loaded DLL - DLL: (C:\WINDOWS\AppPatch\AcGenral.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\USER32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\GDI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WINMM.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ole32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\msvcrt.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\OLEAUT32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\MSACM32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\VERSION.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\SHELL32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\SHLWAPI.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\USERENV.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\UxTheme.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\IMM32.DLL)
Loaded DLL - DLL: (C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\)
Loaded DLL - DLL: (C:\WINDOWS\system32\comctl32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\NTMARTA.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\SAMLIB.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WLDAP32.dll)
Loaded DLL - DLL: (c:\windows\system32\rpcss.dll)
Loaded DLL - DLL: (c:\windows\system32\WS2_32.dll)
Loaded DLL - DLL: (c:\windows\system32\WS2HELP.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\xpsp2res.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\CLBCATQ.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\COMRes.dll)
Loaded DLL - DLL: (c:\windows\system32\termsrv.dll)
Loaded DLL - DLL: (c:\windows\system32\ICAAPI.dll)
Loaded DLL - DLL: (c:\windows\system32\SETUPAPI.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WINTRUST.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\CRYPT32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\MSASN1.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\IMAGEHLP.dll)
Loaded DLL - DLL: (c:\windows\system32\AUTHZ.dll)
Loaded DLL - DLL: (c:\windows\system32\mstlsapi.dll)
Loaded DLL - DLL: (c:\windows\system32\ACTIVEDS.dll)
Loaded DLL - DLL: (c:\windows\system32\adsldpc.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\NETAPI32.dll)
Loaded DLL - DLL: (c:\windows\system32\ATL.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\REGAPI.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\rsaenh.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\Apphelp.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\pstorec.dll)
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Processes 3 (c:\PostalGusanito.exe MD5: [30ccf558ea5d08e830942f9cb4a03e26], PID 2772, User: Administrator)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
==============================================================================
DLL-Handling
==============================================================================
Loaded DLL - DLL: (C:\WINDOWS\system32\ntdll.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\kernel32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\user32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\GDI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\advapi32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\RPCRT4.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\Secur32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\oleaut32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\msvcrt.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ole32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\IMM32.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\pstorec.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ATL.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\ws2_32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\wininet.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\shell32.dll)
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
==============================================================================
Filesystem Changes
==============================================================================
Create File: C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\Desktop.ini
Set File Attributes: C:\RECYCLER Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Set File Attributes: C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728 Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
==============================================================================
Registry Changes
==============================================================================
Create or Open:
Registry Changes:
Registry Reads:
Registry Enums:
==============================================================================
Process Management
==============================================================================
Kill Process - Filename () CommandLine: () Target PID: (2772) As User: () Creation Flags: ()
Enum Processes
Enum Modules - Target PID: (2772)
Open Process - Filename () CommandLine: () Target PID: (1704) As User: () Creation Flags: ()
Open Process - Filename () CommandLine: () Target PID: (4) As User: () Creation Flags: ()
============================================================================
System
==============================================================================
Sleep - Milliseconds (1)
Sleep - Milliseconds (500)
Sleep - Milliseconds (2000)
==============================================================================
System Info
==============================================================================
Get System Directory
Get System Time
==============================================================================
Threads
==============================================================================
Create Thread - Target PID (2772) Thread ID (2808) Thread ID ($77DC848A) Parameter Address ($00000000) Creation Flags ()
Create Remote Thread - Target PID (1704) Thread ID (2812) Thread ID ($01E51A80) Parameter Address ($01E60000) Creation Flags (CREATE_SUSPENDED)
==============================================================================
User Management
==============================================================================
Get User Name
==============================================================================
Virtual Memory
==============================================================================
VM Allocate - Target: (1704) Address: ($01670000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (1704) Address: ($01D70000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (1704) Address: ($01E40000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (1704) Address: ($01E50000) Size: (65536) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (1704) Address: ($01E60000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (1704) Address: ($02A10000) Size: (1048576) Protect: (PAGE_READWRITE) Allocation Type: (MEM_RESERVE)
VM Allocate - Target: (1704) Address: ($02AEF000) Size: (135168) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (4) Address: ($00040000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (4) Address: ($00050000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (4) Address: ($00170000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (4) Address: ($00180000) Size: (1048576) Protect: (PAGE_READWRITE) Allocation Type: (MEM_RESERVE)
VM Allocate - Target: (4) Address: ($0025F000) Size: (135168) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Protect - Target: (2772) Address: ($44200000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: ()
VM Protect - Target: (2772) Address: ($44200000) Size: (4096) Protect: (PAGE_EXECUTE_READ) Allocation Type: ()
VM Protect - Target: (2772) Address: ($4424A000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: ()
VM Protect - Target: (2772) Address: ($4424A000) Size: (4096) Protect: (PAGE_EXECUTE_READ) Allocation Type: ()
VM Protect - Target: (2772) Address: ($441F4000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: ()
VM Protect - Target: (2772) Address: ($441F4000) Size: (4096) Protect: (PAGE_EXECUTE_READ) Allocation Type: ()
VM Protect - Target: (2772) Address: ($441F5000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: ()
VM Protect - Target: (2772) Address: ($441F5000) Size: (4096) Protect: (PAGE_EXECUTE_READ) Allocation Type: ()
VM Protect - Target: (2772) Address: ($441F4000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: ()
VM Protect - Target: (2772) Address: ($441F4000) Size: (4096) Protect: (PAGE_EXECUTE_READ) Allocation Type: ()
VM Protect - Target: (2772) Address: ($441F5000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: ()
VM Protect - Target: (2772) Address: ($441F5000) Size: (4096) Protect: (PAGE_EXECUTE_READ) Allocation Type: ()
VM Protect - Target: (2772) Address: ($7E774000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: ()
VM Protect - Target: (2772) Address: ($7E774000) Size: (4096) Protect: (PAGE_EXECUTE_READ) Allocation Type: ()
VM Protect - Target: (2772) Address: ($7E6F1000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: ()
VM Protect - Target: (2772) Address: ($7E6F1000) Size: (4096) Protect: (PAGE_EXECUTE_READ) Allocation Type: ()
VM Protect - Target: (2772) Address: ($7E765000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: ()
VM Protect - Target: (2772) Address: ($7E765000) Size: (4096) Protect: (PAGE_EXECUTE_READ) Allocation Type: ()
VM Protect - Target: (2772) Address: ($7E6B9000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: ()
VM Protect - Target: (2772) Address: ($7E6B9000) Size: (4096) Protect: (PAGE_EXECUTE_READ) Allocation Type: ()
VM Protect - Target: (2772) Address: ($7E6F0000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: ()
VM Protect - Target: (2772) Address: ($7E6F0000) Size: (4096) Protect: (PAGE_EXECUTE_READ) Allocation Type: ()
VM Protect - Target: (1704) Address: ($02AEF000) Size: (4096) Protect: (PAGE_READWRITE PAGE_GUARD) Allocation Type: ()
VM Protect - Target: (4) Address: ($0025F000) Size: (4096) Protect: (PAGE_READWRITE PAGE_GUARD) Allocation Type: ()
VM Write - Target: (1704) Address: ($01670000) Size: (3566) Protect: () Allocation Type: ()
VM Write - Target: (1704) Address: ($01D70000) Size: (2280) Protect: () Allocation Type: ()
VM Write - Target: (1704) Address: ($01E40000) Size: (576) Protect: () Allocation Type: ()
VM Write - Target: (1704) Address: ($01E50000) Size: (64730) Protect: () Allocation Type: ()
VM Write - Target: (1704) Address: ($01E60000) Size: (1732) Protect: () Allocation Type: ()
VM Write - Target: (4) Address: ($00040000) Size: (256) Protect: () Allocation Type: ()
VM Write - Target: (4) Address: ($00050000) Size: (284) Protect: () Allocation Type: ()
VM Write - Target: (4) Address: ($00170000) Size: (256) Protect: () Allocation Type: ()
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Processes 4 (C:\WINDOWS\Explorer.EXE MD5: [418045a93cd87a352098ab7dabe1b53e], PID 1704, User: Administrator)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
==============================================================================
DLL-Handling
==============================================================================
Loaded DLL - DLL: (C:\WINDOWS\system32\ntdll.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\kernel32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ADVAPI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\RPCRT4.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\Secur32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\BROWSEUI.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\GDI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\USER32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\msvcrt.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ole32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\SHLWAPI.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\OLEAUT32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\SHDOCVW.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\CRYPT32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\MSASN1.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\CRYPTUI.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\NETAPI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\VERSION.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WININET.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\Normaliz.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\iertutil.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WINTRUST.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\IMAGEHLP.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WLDAP32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\SHELL32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\UxTheme.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ShimEng.dll)
Loaded DLL - DLL: (C:\WINDOWS\AppPatch\AcGenral.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\WINMM.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\MSACM32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\USERENV.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\IMM32.DLL)
Loaded DLL - DLL: (C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\)
Loaded DLL - DLL: (C:\WINDOWS\system32\comctl32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\msctfime.ime)
Loaded DLL - DLL: (C:\WINDOWS\system32\appHelp.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\CLBCATQ.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\COMRes.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\cscui.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\CSCDLL.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\themeui.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\MSIMG32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\xpsp2res.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ACTXPRXY.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\msutb.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\MSCTF.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\SAMLIB.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ieframe.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\PSAPI.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\urlmon.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\LINKINFO.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ntshrui.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ATL.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\mshtml.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\msls31.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\SETUPAPI.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ws2_32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WS2HELP.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\RASAPI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\rasman.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\TAPI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\rtutils.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\NETSHELL.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\credui.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\dot3api.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\dot3dlg.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\OneX.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\WTSAPI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WINSTA.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\eappcfg.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\MSVCP60.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\eappprxy.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\iphlpapi.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\rsaenh.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\msimtf.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\webcheck.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\stobject.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\BatMeter.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\POWRPROF.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WPDShServiceObj.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WINHTTP.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\mydocs.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\PortableDeviceTypes.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\PortableDeviceApi.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\msv1_0.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\sensapi.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\pstorec.dll)
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
Loaded DLL - DLL: ()
==============================================================================
Filesystem Changes
==============================================================================
Copy File: c:\PostalGusanito.exe to C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\xpupdate.exe
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING), (FILE_ANY_ACCESS), (FILE_SHARE_READ FILE_SHARE_WRITE), (SECURITY_ANONYMOUS)
Create/Open File: C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\xpupdate.exe (OPEN_ALWAYS), (FILE_ANY_ACCESS), (FILE_SHARE_READ), (SECURITY_ANONYMOUS)
Create/Open File: C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\Desktop.ini (OPEN_ALWAYS), (FILE_ANY_ACCESS), (FILE_SHARE_READ), (SECURITY_ANONYMOUS)
Create/Open File: \Device\RasAcd (OPEN_ALWAYS), (FILE_ANY_ACCESS FILE_READ_ACCESS FILE_READ_DATA FILE_LIST_DIRECTORY FILE_WRITE_ACCESS FILE_WRITE_DATA FILE_ADD_FILE), (FILE_SHARE_READ FILE_SHARE_WRITE), (FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS)
Create NamedPipe: \\.\pipe\roo000uuattt
Set File Attributes: C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\xpupdate.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
==============================================================================
Mutex Changes
==============================================================================
Creates Mutex: roo000uuaaat
==============================================================================
Registry Changes
==============================================================================
Create or Open:
Registry Changes:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ "" = (C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\xpupdate.exe)
Registry Reads:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ ""
HKEY_CURRENT_USER\Software\Microsoft\CTF\ ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared\ ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService\ ""
Registry Enums:
============================================================================
System
==============================================================================
Sleep - Milliseconds (10000)
Sleep - Milliseconds (10)
==============================================================================
User Management
==============================================================================
Get User Name
==============================================================================
Virtual Memory
==============================================================================
VM Protect - Target: (1704) Address: ($719D4000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: ()
VM Protect - Target: (1704) Address: ($719D4000) Size: (4096) Protect: (PAGE_EXECUTE_READ) Allocation Type: ()
==============================================================================
Window
==============================================================================
==============================================================================
Winsock
==============================================================================
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Processes 5 (C:\WINDOWS\system32\services.exe MD5: [a3edbe9053889fb24ab22492472b39dc], PID 792, User: SYSTEM)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Report generated at 30.07.2009 08:29:08 with CWSandbox Version 2.1.12
This analysis was created by the CWSandbox Copyright 2006 Carsten Willems
Copyright 1996-2006 Sunbelt Software. All rights reserved.
