Download Link: hxxp://gpsoftdev.com/downloads/sspro/internet/gp480c/sspro_48.exe File Name: sspro_48.exe File size: 538351 bytes MD5...: 606c301c4a9a61a087a30814550fbbc6 SHA1..: b418e8c758e1f47f3ecdbff89db4450b1a4ce55d SHA256: e51dd8ca4bd64345693555c11c52fdde345b3253d13c68a3a4b79572dc176766 SHA512: 5362098e42994b62cd084745a29d71368914ab83e680ae85ccee96c79d6b3cf9 e2a529fdf08e663f56d9ef074937b36318f48e4576cec6107761e48b4e953df7 VirusTotal Result: 11/32 (34.38%) AntiVir 7.6.0.81 2008.04.05 DR/Dldr.Agent.R.1 Avast 4.7.1098.0 2008.04.06 Win32:Trojan-gen {Other} eSafe 7.0.15.0 2008.04.01 Spyware.Gen Fortinet 3.14.0.0 2008.04.06 Download/Agent Ikarus T3.1.1.20 2008.04.06 not-a-virus:Downloader.Win32.Agent.r Kaspersky 7.0.0.125 2008.04.06 not-a-virus:Downloader.Win32.Agent.r Panda 9.0.0.4 2008.04.05 Trj/Downloader.MDW Prevx1 V2 2008.04.06 Heuristic: Suspicious File With Bad Child Associations Symantec 10 2008.04.06 Spyware.Systemsurv VBA32 3.12.6.4 2008.04.05 Downloader.Win32.Agent.r Webwasher-Gateway 6.6.2 2008.04.05 Trojan.Dropper.Dldr.Agent.R.1 PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0004 Time/Date stamp: 3BD86C3F Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 050F Magic: 010B Linker version (major): 06 Linker version (minor): 00 Size of code: 00002200 Size of initialized data: 00001600 Size of uninitialized data: 00000000 Address of entry point: 000021AF Base of code: 00001000 Base of data: 00004000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0004 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00007000 Size of headers: 00000400 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags .text 00002126 00001000 00002200 00000400 60000020 .rdata 00000779 00004000 00000800 00002600 40000040 .data 00000478 00005000 00000400 00002E00 C0000040 .rsrc 00000640 00006000 00000800 00003200 40000040 Export table (names: 2, functions: 2) #0 - _MainWndProc@16 #1 - _StubFileWrite@12 Import table (libraries: 4) ------------------------------------ KERNEL32.dll (imports: 32) lstrcpyA GetCommandLineA SetErrorMode lstrlenA MulDiv GetTempFileNameA GetWindowsDirectoryA GetModuleFileNameA GetModuleHandleA FormatMessageA lstrcatA GetLastError _lwrite _llseek GlobalUnlock _lopen GlobalAlloc GlobalFree _lclose _lcreat LoadLibraryA GetProcAddress FreeLibrary OpenFile GetVersionExA GetCurrentProcess WinExec ExitProcess _lread LocalFree GetTempPathA GlobalLock USER32.dll (imports: 21) GetDC BeginPaint EndPaint InvalidateRect PostQuitMessage SendMessageA DefWindowProcA GetClientRect CreateWindowExA DrawTextA ReleaseDC ShowWindow SetWindowPos UpdateWindow SetTimer LoadIconA wsprintfA MessageBoxA ExitWindowsEx RegisterClassA LoadCursorA GDI32.dll (imports: 14) DeleteObject GetStockObject GetDeviceCaps PatBlt CreateSolidBrush TextOutA SetTextColor SetBkMode SelectObject StretchDIBits CreateFontA RealizePalette SelectPalette CreatePalette ADVAPI32.dll (imports: 3) OpenProcessToken AdjustTokenPrivileges LookupPrivilegeValueA Process ID 452 Filename C:\file.exe Filesize 538351 bytes MD5 606c301c4a9a61a087a30814550fbbc6 Start Reason AnalysisTarget File System Activities: Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\GLJ4.tmp Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\GLK7.tmp Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\GLMA.tmp Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS) Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\7102_appcompat.txt Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\7102_appcompat.txt Find File: C:\WINDOWS\system32\* Open File: C:\WINDOWS\system32\advapi32.dll () Find File: advapi32.dll Open File: C:\WINDOWS\system32\advapi32.dll (OPEN_EXISTING) Open File: C:\WINDOWS\system32\gdi32.dll () Find File: gdi32.dll Open File: C:\WINDOWS\system32\gdi32.dll (OPEN_EXISTING) Open File: C:\WINDOWS\system32\kernel32.dll () Find File: kernel32.dll Open File: C:\WINDOWS\system32\kernel32.dll (OPEN_EXISTING) Open File: C:\WINDOWS\system32\ntdll.dll () Find File: ntdll.dll Open File: C:\WINDOWS\system32\ntdll.dll (OPEN_EXISTING) Open File: C:\WINDOWS\system32\ole32.dll () Find File: ole32.dll Open File: C:\WINDOWS\system32\ole32.dll (OPEN_EXISTING) Open File: C:\WINDOWS\system32\oleaut32.dll () Find File: oleaut32.dll Open File: C:\WINDOWS\system32\oleaut32.dll (OPEN_EXISTING) Open File: C:\WINDOWS\system32\shell32.dll () Find File: shell32.dll Open File: C:\WINDOWS\system32\shell32.dll (OPEN_EXISTING) Open File: C:\WINDOWS\system32\user32.dll () Find File: user32.dll Open File: C:\WINDOWS\system32\user32.dll (OPEN_EXISTING) Open File: C:\WINDOWS\system32\wininet.dll () Find File: wininet.dll Open File: C:\WINDOWS\system32\wininet.dll (OPEN_EXISTING) Open File: C:\WINDOWS\system32\winsock.dll () Find File: winsock.dll Open File: C:\WINDOWS\system32\winsock.dll (OPEN_EXISTING) Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\GLC1.tmp Flags: (SECURITY_ANONYMOUS) Create/Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\7102_appcompat.txt (OPEN_ALWAYS) Find File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\GLC1.tmp Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\GLC1.tmp () Find File: GLC1.tmp Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\GLC1.tmp (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\WINDOWS\system32\dwwin.exe () Find File: dwwin.exe Registry Reads: HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "DoReport" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "ShowUI" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "AllOrNone" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "IncludeMicrosoftApps" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "IncludeWindowsApps" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "DoTextLog" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "IncludeKernelFaults" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "IncludeShutdownErrs" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "NumberOfFaultPipes" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "NumberOfHangPipes" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "MaxUserQueueSize" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "ForceQueueMode" HKEY_LOCAL_MACHINE\System\Setup "SystemSetupInProgress" HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" Process Management: Creates Process - Filename () CommandLine: (C:\WINDOWS\system32\dwwin.exe -x -s 1368) As User: () Creation Flags: (CREATE_DEFAULT_ERROR_MODE) Enum Modules - Target PID: (452) Enum Modules - Target PID: (452) Process Stsrted: Process ID 472 Filename C:\WINDOWS\system32\dwwin.exe -x -s 1368 Filesize 180224 bytes MD5 7c25440617eee6f69709aa8c915d2c32 Start Reason CreateProcess File System Activities: Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\1778C.dmp Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Get File Attributes: c:\autoexec.bat Flags: (SECURITY_ANONYMOUS) Open File: c:\autoexec.bat (OPEN_EXISTING) Find File: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk Find File: C:\WINDOWS\system32\Ras\*.pbk Find File: C:\Documents and Settings\Sandbox\Application Data\Microsoft\Network\Connections\Pbk\*.pbk Read INI File: WIN.INI [windows] ScrollInset = WIN.INI [windows] DragDelay = WIN.INI [windows] DragMinDist = WIN.INI [windows] ScrollDelay = WIN.INI [windows] ScrollInterval = WIN.INI [richedit30] flags = Mutexes: Creates Mutex: RasPbFile Registry Reads: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion "DigitalProductId" HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings "Anchor Color" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug "Debugger" System Info: Get System Directory Get Computer Name User Management: Impersonate User - Domain: () User: (Sandbox)