:: MWanalysis :: CWSandbox ::

XML (plain) - TXT (plain) - HTML (plain) - back to sample

Scan Summary

File Changes

Registry Changes

Network Activity

Technical Details

Submission Details
Date	30.07.2009 08:29:08
Sandbox Version	2.1.12
File Name	c:\PostalGusanito.exe
Submitting Email
Comment

Summary Findings
Total Number of Processes	5
Termination Reason	NormalTermination
Start Time	00:01.094
Stop Time	00:10.703
Start Reason	AnalysisTarget

Analysis HighLights
Spawned Processes	Found 4 Processes. (View Activity by Process)
Filesystem Changes	View File Changes
Registry Changes	View Registry Changes
Network Activity	View Network Activity

File Changes by all processes
New Files	C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\Desktop.ini C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\xpupdate.exe C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\xpupdate.exe C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\Desktop.ini \\.\pipe\roo000uuattt \Device\RasAcd
Opened Files	C:\WINDOWS\Registration\R000000000007.clb \\.\PIPE\lsarpc
Deleted Files
Chronological Order	Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS) Open File: C:\WINDOWS\Registration\R000000000007.clb (OPEN_EXISTING) Get File Attributes: C:\WINDOWS\system32\.HLP Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\WINDOWS\Help\.HLP Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\RECYCLER Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS) Set File Attributes: C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728 Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS) Create File: C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\Desktop.ini Copy File: c:\PostalGusanito.exe to C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\xpupdate.exe Set File Attributes: C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\xpupdate.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS) Create/Open File: C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\xpupdate.exe (OPEN_ALWAYS) Create/Open File: C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\Desktop.ini (OPEN_ALWAYS) Create NamedPipe: \\.\pipe\roo000uuattt Create/Open File: \Device\RasAcd (OPEN_ALWAYS) Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)

Registry Changes by all processes
Create or Open
Changes	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Taskman" = C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\xpupdate.exe
Reads	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS" HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey" HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM "Ime File" HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Taskman" HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService "DefaultAuthLevel"
Enums

Network Activity

Connections

DNS Lookup
Host Name	IP Address
infotechpro.info	216.66.76.209
dell-d3e62f7e26	10.1.8.2

UDP Connections

Remote IP Address: 216.66.76.209 Port: 7006
Send Datagram: packet(s) of size 7
Send Datagram: 6 packet(s) of size 3
Send Datagram: packet(s) of size 60
Send Datagram: 3 packet(s) of size 17
Send Datagram: packet(s) of size 30
Send Datagram: packet(s) of size 1
Recv Datagram: 5103 packet(s) of size 0
Recv Datagram: 2 packet(s) of size 8
Recv Datagram: 5 packet(s) of size 3
Recv Datagram: packet(s) of size 81
Recv Datagram: packet(s) of size 7
Recv Datagram: packet(s) of size 62
Recv Datagram: packet(s) of size 6

Technical Details

Analysis Number

Parent ID

Process ID

2612

Filename

c:\PostalGusanito.exe

Filesize

239424 bytes

MD5

30ccf558ea5d08e830942f9cb4a03e26

Start Reason

AnalysisTarget

Termination Reason

NormalTermination

Start Time

00:01.094

Stop Time

00:10.703

COM

COM Create Instance: C:\WINDOWS\system32\msvbvm60.dll, ProgID: (), Interface ID: ({00000000-0000-0000-C000-000000000046})
COM Create Instance: C:\WINDOWS\system32\msvbvm60.dll, ProgID: (), Interface ID: ({4495AD01-C993-11D1-A3E4-00A0C90AEA82})
COM Create Instance: C:\WINDOWS\system32\msvbvm60.dll, ProgID: (), Interface ID: ({7FD52380-4E07-101B-AE2D-08002B2EC713})
COM Create Instance: C:\WINDOWS\system32\msvbvm60.dll, ProgID: (), Interface ID: ({37D84F60-42CB-11CE-8135-00AA004BB851})

DLL-Handling

Loaded DLLs

C:\WINDOWS\system32\ntdll.dll

C:\WINDOWS\system32\kernel32.dll

C:\WINDOWS\system32\MSVBVM60.DLL

C:\WINDOWS\system32\USER32.dll

C:\WINDOWS\system32\GDI32.dll

C:\WINDOWS\system32\ADVAPI32.dll

C:\WINDOWS\system32\RPCRT4.dll

C:\WINDOWS\system32\Secur32.dll

C:\WINDOWS\system32\ole32.dll

C:\WINDOWS\system32\msvcrt.dll

C:\WINDOWS\system32\OLEAUT32.dll

C:\WINDOWS\system32\IMM32.DLL

C:\WINDOWS\system32\pstorec.dll

C:\WINDOWS\system32\ATL.DLL

C:\WINDOWS\system32\VB6DE.DLL

C:\WINDOWS\system32\VB6ES.DLL

C:\WINDOWS\system32\uxtheme.dll

C:\WINDOWS\system32\SXS.DLL

C:\WINDOWS\system32\version.dll

C:\WINDOWS\system32\msctfime.ime

C:\WINDOWS\system32\MSCTF.dll

Filesystem

Opened Files

C:\WINDOWS\Registration\R000000000007.clb

Chronological order

Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\Registration\R000000000007.clb (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\system32\.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Help\.HLP Flags: (SECURITY_ANONYMOUS)

INI Files

Read INI File

WINHELP.INI [FILES] .HLP =

Mutexes

Creates Mutex: CTF.LBES.MutexDefaultS-1-5-21-583907252-1708537768-842925246-500
Creates Mutex: CTF.Compart.MutexDefaultS-1-5-21-583907252-1708537768-842925246-500
Creates Mutex: CTF.Asm.MutexDefaultS-1-5-21-583907252-1708537768-842925246-500
Creates Mutex: CTF.Layouts.MutexDefaultS-1-5-21-583907252-1708537768-842925246-500
Creates Mutex: CTF.TMD.MutexDefaultS-1-5-21-583907252-1708537768-842925246-500
Creates Mutex: CTF.TimListCache.FMPDefaultS-1-5-21-583907252-1708537768-842925246-500MUTEX.DefaultS-1-5-21-583907252

Registry

Reads

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared ""
HKEY_CURRENT_USER\Keyboard Layout\Toggle ""
HKEY_CURRENT_USER\Keyboard Layout\Toggle ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM ""
HKEY_CURRENT_USER\Software\Microsoft\CTF ""

Process Management

Creates Process - Filename () CommandLine: (c:\PostalGusanito.exe) As User: () Creation Flags: (CREATE_SUSPENDED)
Kill Process - Filename () CommandLine: () Target PID: (2612) As User: () Creation Flags: ()

System

Sleep - Milliseconds (0)

System Info

Get System Directory
Get Windows Directory

Threads

Virtual Memory

VM Allocate - Target: (2772) Address: ($00400000) Size: (118784) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT MEM_RESERVE)
VM Protect - Target: (2772) Address: ($00400000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (2772) Address: ($00400000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (2772) Address: ($00401000) Size: (90112) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (2772) Address: ($00417000) Size: (8192) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (2772) Address: ($00417000) Size: (8192) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (2772) Address: ($00419000) Size: (12288) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (2772) Address: ($00419000) Size: (12288) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (2772) Address: ($7FFDF000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (2772) Address: ($7FFDF000) Size: (4096) Protect: (PAGE_READWRITE)
VM Write - Target: (2772) Address: ($00400000) Size: (1024)
VM Write - Target: (2772) Address: ($00401000) Size: (90112)
VM Write - Target: (2772) Address: ($00417000) Size: (7168)
VM Write - Target: (2772) Address: ($00419000) Size: (9728)
VM Write - Target: (2772) Address: ($7FFDF008) Size: (4)

Window

Enum Windows
Destroy Window - Class Name (ThunderRT6Main) Window Name (Stub)
Destroy Window - Class Name () Window Name ()
Destroy Window - Class Name (VBMsoStdCompMgr) Window Name ()

Analysis Number

Parent ID

Process ID

980

Filename

C:\WINDOWS\system32\svchost.exe

Filesize

14336 bytes

MD5

4fbc75b74479c7a6f829e0ca19df3366

Start Reason

DCOMService

Termination Reason

Timeout

Start Time

00:03.375

Stop Time

02:01.766

DLL-Handling

Loaded DLLs

C:\WINDOWS\system32\ntdll.dll

C:\WINDOWS\system32\kernel32.dll

C:\WINDOWS\system32\ADVAPI32.dll

C:\WINDOWS\system32\RPCRT4.dll

C:\WINDOWS\system32\Secur32.dll

C:\WINDOWS\system32\ShimEng.dll

C:\WINDOWS\AppPatch\AcGenral.DLL

C:\WINDOWS\system32\USER32.dll

C:\WINDOWS\system32\GDI32.dll

C:\WINDOWS\system32\WINMM.dll

C:\WINDOWS\system32\ole32.dll

C:\WINDOWS\system32\msvcrt.dll

C:\WINDOWS\system32\OLEAUT32.dll

C:\WINDOWS\system32\MSACM32.dll

C:\WINDOWS\system32\VERSION.dll

C:\WINDOWS\system32\SHELL32.dll

C:\WINDOWS\system32\SHLWAPI.dll

C:\WINDOWS\system32\USERENV.dll

C:\WINDOWS\system32\UxTheme.dll

C:\WINDOWS\system32\IMM32.DLL

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\

C:\WINDOWS\system32\comctl32.dll

C:\WINDOWS\system32\NTMARTA.DLL

C:\WINDOWS\system32\SAMLIB.dll

C:\WINDOWS\system32\WLDAP32.dll

c:\windows\system32\rpcss.dll

c:\windows\system32\WS2_32.dll

c:\windows\system32\WS2HELP.dll

C:\WINDOWS\system32\xpsp2res.dll

C:\WINDOWS\system32\CLBCATQ.DLL

C:\WINDOWS\system32\COMRes.dll

c:\windows\system32\termsrv.dll

c:\windows\system32\ICAAPI.dll

c:\windows\system32\SETUPAPI.dll

C:\WINDOWS\system32\WINTRUST.dll

C:\WINDOWS\system32\CRYPT32.dll

C:\WINDOWS\system32\MSASN1.dll

C:\WINDOWS\system32\IMAGEHLP.dll

c:\windows\system32\AUTHZ.dll

c:\windows\system32\mstlsapi.dll

c:\windows\system32\ACTIVEDS.dll

c:\windows\system32\adsldpc.dll

C:\WINDOWS\system32\NETAPI32.dll

c:\windows\system32\ATL.DLL

C:\WINDOWS\system32\REGAPI.dll

C:\WINDOWS\system32\rsaenh.dll

C:\WINDOWS\system32\Apphelp.dll

C:\WINDOWS\system32\pstorec.dll

The following process was started by process: 1

Analysis Number

Parent ID

Process ID

2772

Filename

c:\PostalGusanito.exe

Filesize

239424 bytes

MD5

30ccf558ea5d08e830942f9cb4a03e26

Start Reason

CreateProcess

Termination Reason

NormalTermination

Start Time

00:10.297

Stop Time

00:29.156

DLL-Handling

Loaded DLLs

C:\WINDOWS\system32\ntdll.dll

C:\WINDOWS\system32\kernel32.dll

C:\WINDOWS\system32\user32.dll

C:\WINDOWS\system32\GDI32.dll

C:\WINDOWS\system32\advapi32.dll

C:\WINDOWS\system32\RPCRT4.dll

C:\WINDOWS\system32\Secur32.dll

C:\WINDOWS\system32\oleaut32.dll

C:\WINDOWS\system32\msvcrt.dll

C:\WINDOWS\system32\ole32.dll

C:\WINDOWS\system32\IMM32.DLL

C:\WINDOWS\system32\pstorec.dll

C:\WINDOWS\system32\ATL.DLL

C:\WINDOWS\system32\ws2_32.dll

C:\WINDOWS\system32\wininet.dll

C:\WINDOWS\system32\shell32.dll

Filesystem

New Files

C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\Desktop.ini

Chronological order

Set File Attributes: C:\RECYCLER Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Set File Attributes: C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728 Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Create File: C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\Desktop.ini

Registry

Process Management

Kill Process - Filename () CommandLine: () Target PID: (2772) As User: () Creation Flags: ()
Enum Processes
Enum Modules - Target PID: (2772)
Open Process - Filename () Target PID: (1704)
Open Process - Filename () Target PID: (4)

System

Sleep - Milliseconds (1)
Sleep - Milliseconds (500)
Sleep - Milliseconds (2000)

System Info

Get System Directory
Get System Time

Threads

Create Thread - Target PID (2772) Thread ID (2808) Thread ID ($77DC848A) Parameter Address ($00000000) Creation Flags ()
Create Remote Thread - Target PID (1704) Thread ID (2812) Thread ID ($01E51A80) Parameter Address ($01E60000) Creation Flags (CREATE_SUSPENDED)

User Management

Get User Name

Virtual Memory

VM Allocate - Target: (1704) Address: ($01670000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (1704) Address: ($01D70000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (1704) Address: ($01E40000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (1704) Address: ($01E50000) Size: (65536) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (1704) Address: ($01E60000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (1704) Address: ($02A10000) Size: (1048576) Protect: (PAGE_READWRITE) Allocation Type: (MEM_RESERVE)
VM Allocate - Target: (1704) Address: ($02AEF000) Size: (135168) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (4) Address: ($00040000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (4) Address: ($00050000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (4) Address: ($00170000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (4) Address: ($00180000) Size: (1048576) Protect: (PAGE_READWRITE) Allocation Type: (MEM_RESERVE)
VM Allocate - Target: (4) Address: ($0025F000) Size: (135168) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Protect - Target: (2772) Address: ($44200000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (2772) Address: ($44200000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (2772) Address: ($4424A000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (2772) Address: ($4424A000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (2772) Address: ($441F4000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (2772) Address: ($441F4000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (2772) Address: ($441F5000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (2772) Address: ($441F5000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (2772) Address: ($441F4000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (2772) Address: ($441F4000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (2772) Address: ($441F5000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (2772) Address: ($441F5000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (2772) Address: ($7E774000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (2772) Address: ($7E774000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (2772) Address: ($7E6F1000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (2772) Address: ($7E6F1000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (2772) Address: ($7E765000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (2772) Address: ($7E765000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (2772) Address: ($7E6B9000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (2772) Address: ($7E6B9000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (2772) Address: ($7E6F0000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (2772) Address: ($7E6F0000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1704) Address: ($02AEF000) Size: (4096) Protect: (PAGE_READWRITE PAGE_GUARD)
VM Protect - Target: (4) Address: ($0025F000) Size: (4096) Protect: (PAGE_READWRITE PAGE_GUARD)
VM Write - Target: (1704) Address: ($01670000) Size: (3566)
VM Write - Target: (1704) Address: ($01D70000) Size: (2280)
VM Write - Target: (1704) Address: ($01E40000) Size: (576)
VM Write - Target: (1704) Address: ($01E50000) Size: (64730)
VM Write - Target: (1704) Address: ($01E60000) Size: (1732)
VM Write - Target: (4) Address: ($00040000) Size: (256)
VM Write - Target: (4) Address: ($00050000) Size: (284)
VM Write - Target: (4) Address: ($00170000) Size: (256)

The following process was started by process: 3

Analysis Number

Parent ID

Process ID

1704

Filename

C:\WINDOWS\Explorer.EXE

Filesize

1036800 bytes

MD5

418045a93cd87a352098ab7dabe1b53e

Start Reason

InjectedCode

Termination Reason

Timeout

Start Time

00:25.922

Stop Time

02:01.469

DLL-Handling

Loaded DLLs

C:\WINDOWS\system32\ntdll.dll

C:\WINDOWS\system32\kernel32.dll

C:\WINDOWS\system32\ADVAPI32.dll

C:\WINDOWS\system32\RPCRT4.dll

C:\WINDOWS\system32\Secur32.dll

C:\WINDOWS\system32\BROWSEUI.dll

C:\WINDOWS\system32\GDI32.dll

C:\WINDOWS\system32\USER32.dll

C:\WINDOWS\system32\msvcrt.dll

C:\WINDOWS\system32\ole32.dll

C:\WINDOWS\system32\SHLWAPI.dll

C:\WINDOWS\system32\OLEAUT32.dll

C:\WINDOWS\system32\SHDOCVW.dll

C:\WINDOWS\system32\CRYPT32.dll

C:\WINDOWS\system32\MSASN1.dll

C:\WINDOWS\system32\CRYPTUI.dll

C:\WINDOWS\system32\NETAPI32.dll

C:\WINDOWS\system32\VERSION.dll

C:\WINDOWS\system32\WININET.dll

C:\WINDOWS\system32\Normaliz.dll

C:\WINDOWS\system32\iertutil.dll

C:\WINDOWS\system32\WINTRUST.dll

C:\WINDOWS\system32\IMAGEHLP.dll

C:\WINDOWS\system32\WLDAP32.dll

C:\WINDOWS\system32\SHELL32.dll

C:\WINDOWS\system32\UxTheme.dll

C:\WINDOWS\system32\ShimEng.dll

C:\WINDOWS\AppPatch\AcGenral.DLL

C:\WINDOWS\system32\WINMM.dll

C:\WINDOWS\system32\MSACM32.dll

C:\WINDOWS\system32\USERENV.dll

C:\WINDOWS\system32\IMM32.DLL

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\

C:\WINDOWS\system32\comctl32.dll

C:\WINDOWS\system32\msctfime.ime

C:\WINDOWS\system32\appHelp.dll

C:\WINDOWS\system32\CLBCATQ.DLL

C:\WINDOWS\system32\COMRes.dll

C:\WINDOWS\System32\cscui.dll

C:\WINDOWS\System32\CSCDLL.dll

C:\WINDOWS\system32\themeui.dll

C:\WINDOWS\system32\MSIMG32.dll

C:\WINDOWS\system32\xpsp2res.dll

C:\WINDOWS\system32\ACTXPRXY.DLL

C:\WINDOWS\system32\msutb.dll

C:\WINDOWS\system32\MSCTF.dll

C:\WINDOWS\system32\SAMLIB.dll

C:\WINDOWS\system32\ieframe.dll

C:\WINDOWS\system32\PSAPI.DLL

C:\WINDOWS\system32\urlmon.dll

C:\WINDOWS\system32\LINKINFO.dll

C:\WINDOWS\system32\ntshrui.dll

C:\WINDOWS\system32\ATL.DLL

C:\WINDOWS\system32\mshtml.dll

C:\WINDOWS\system32\msls31.dll

C:\WINDOWS\system32\SETUPAPI.dll

C:\WINDOWS\system32\ws2_32.dll

C:\WINDOWS\system32\WS2HELP.dll

C:\WINDOWS\system32\RASAPI32.dll

C:\WINDOWS\system32\rasman.dll

C:\WINDOWS\system32\TAPI32.dll

C:\WINDOWS\system32\rtutils.dll

C:\WINDOWS\system32\NETSHELL.dll

C:\WINDOWS\system32\credui.dll

C:\WINDOWS\system32\dot3api.dll

C:\WINDOWS\system32\dot3dlg.dll

C:\WINDOWS\system32\OneX.DLL

C:\WINDOWS\system32\WTSAPI32.dll

C:\WINDOWS\system32\WINSTA.dll

C:\WINDOWS\system32\eappcfg.dll

C:\WINDOWS\system32\MSVCP60.dll

C:\WINDOWS\system32\eappprxy.dll

C:\WINDOWS\system32\iphlpapi.dll

C:\WINDOWS\system32\rsaenh.dll

C:\WINDOWS\system32\msimtf.dll

C:\WINDOWS\system32\webcheck.dll

C:\WINDOWS\system32\stobject.dll

C:\WINDOWS\system32\BatMeter.dll

C:\WINDOWS\system32\POWRPROF.dll

C:\WINDOWS\system32\WPDShServiceObj.dll

C:\WINDOWS\system32\WINHTTP.dll

C:\WINDOWS\system32\mydocs.dll

C:\WINDOWS\system32\PortableDeviceTypes.dll

C:\WINDOWS\system32\PortableDeviceApi.dll

C:\WINDOWS\system32\msv1_0.dll

C:\WINDOWS\system32\sensapi.dll

C:\WINDOWS\system32\pstorec.dll

Filesystem

New Files

C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\xpupdate.exe
C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\xpupdate.exe
C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\Desktop.ini
\\.\pipe\roo000uuattt
\Device\RasAcd

Opened Files

\\.\PIPE\lsarpc

Chronological order

Copy File: c:\PostalGusanito.exe to C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\xpupdate.exe
Set File Attributes: C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\xpupdate.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Create/Open File: C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\xpupdate.exe (OPEN_ALWAYS)
Create/Open File: C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\Desktop.ini (OPEN_ALWAYS)
Create NamedPipe: \\.\pipe\roo000uuattt
Create/Open File: \Device\RasAcd (OPEN_ALWAYS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)

Mutexes

Creates Mutex: roo000uuaaat

Registry

Changes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "" = C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\xpupdate.exe

Reads

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ""
HKEY_CURRENT_USER\Software\Microsoft\CTF ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService ""

System

Sleep - Milliseconds (10000)
Sleep - Milliseconds (10)

User Management

Get User Name

Virtual Memory

VM Protect - Target: (1704) Address: ($719D4000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1704) Address: ($719D4000) Size: (4096) Protect: (PAGE_EXECUTE_READ)

Window

Network Activity

DNS Lookup
Host Name	IP Address
infotechpro.info	216.66.76.209
dell-d3e62f7e26	10.1.8.2

UDP Connections

Analysis Number

Parent ID

Process ID

792

Filename

C:\WINDOWS\system32\services.exe

Filesize

111104 bytes

MD5

a3edbe9053889fb24ab22492472b39dc

Start Reason

SCM

Termination Reason

Timeout

Start Time

00:38.047

Stop Time

02:01.656

MWanalysis

CWSandbox :: Report